1 Introduction

The group action framework is a powerful abstract tool to build cryptographic protocols such as non-interactive key exchange [CLM+18], signatures [BKV19], threshold schemes [CS20, DFM20], ring signatures [BKP20], group signatures [BDK+23], partial-blind signatures [KLLQ23], updatable encryption [LR22], and, among other things, various applications as discussed in [ADFMP20].

Isogenies provide the only known way to instantiate this framework in a manner resistant to quantum computers. There are two achievable flavours of group action: the “restricted" group action (REGA) such as the one introduced for the CSIDH key exchange in [CLM+18], and the “full” variant (EGA) introduced for the CSI-FiSh signature scheme in [BKV19]. While the restricted variant is already interesting, the full variant is required by the more elaborate constructions.

Unfortunately, isogeny-based group actions suffer from various problems. First, the underlying hard problem can be solved in subexponential time by a quantum computer [Kup05] which renders their security hard to estimate and reduces their efficiency. Second, current methods for instantiating the full variant require superpolynomial precomputation as demonstrated in [BKV19, DFFK+23] and reaffirmed in a recent blog post by PannyFootnote 1. This makes it computationally infeasible to obtain the full variant for group sizes of several thousands of bits.

The second obstacle is what motivated the introduction of the recent SCALLOP scheme in [DFFK+23] where the precomputation (while still superpolynomial) is much more practical than in the setting of CSI-FiSh [BKV19]. The authors of SCALLOP demonstrated the interest of their constructions by scaling the parameters to sizes known to be computationally unreachable in the setting of CSI-FiSh. However, the efficiency of SCALLOP is much worse than CSIDH, and the amount of precomputation required to reach the higher levels of security (equivalent to the CSIDH-8192 variant of [CSCDJRH22] for instance) promises to be quite extensive.

The improvements in scalability achieved by SCALLOP, when compared to CSI-FiSh, arise from using a distinct group and set in the group action. However, in order to define their group action, the set elements are no longer just j-invariants of supersingular elliptic curves, but curves together with extra data called “orientation". The necessity of carrying the orientation and computing the group action on the orientation is what renders the efficiency of SCALLOP bad in comparison to CSI-FiSh.

Recently, the field of isogeny-based cryptography has seen a major breakthrough with the successful cryptanalysis of the SIDH key exchange scheme by [CD23, MMP+23, Rob23]. This result was obtained by embedding isogenies between elliptic curves (isogenies of dimension 1) inside isogenies of higher dimension (2, 4 and 8) using Kani’s Lemma [Kan97]. Since then, these novel ideas have been used several times to build some post-quantum protocols such as encryption [BMP23], signature [DLRW23], or VRF [Ler23]. In short, our new construction SCALLOP-HD uses these ideas to represent orientations more efficiently and this leads to various improvements over SCALLOP that we list in the next section.

1.1 Contribution

In this work, we revisit the SCALLOP group action with the high dimensional isogenies at the heart of the attacks against SIDH. We show that these new techniques, and in particular, the idea of Robert [Rob22] that an arbitrary degree isogeny can be efficiently represented using high dimension isogenies allows us to simplify the framework of SCALLOP. Concretely, the improvements of SCALLOP-HD compared to the original SCALLOP can be summarized as follows:

  1. 1.

    A new orientation representation that uses the embedding techniques based of higher dimensional isogenies.

  2. 2.

    A simplified algorithm to compute the group action using Kani’s Lemma in dimension 2 that we expect will improve the efficiency.

  3. 3.

    The improvement from a merely subexponential to a polynomial complexity of the computation of the class group’s lattice of relation: the bottleneck in the precomputation required by SCALLOP. Hence, the reduction of the lattice of relations remains the only superpolynomial-time part in the precomputation of the SCALLOP-HD group action.

In doing so, we introduce a novel way of applying Kani’s Lemma in dimension 2 by building isogeny diamonds from two endomorphisms lying in the same quadratic order. This can be used to represent orientations and endomorphisms in dimension 2. We believe this new technique is interesting in its own right, and it was recently used in [Ler23] to provide a new algorithm to perform the Deuring correspondence using isogenies in dimension 2. We also briefly discuss another example where this new technique can be used in a recent endomorphism division algorithm in Remark 14.

Organization of the Paper. The rest of this paper is organized as follows. In Sect. 2, we introduce necessary mathematical background. Then, Sect. 3 explains how to construct group action from isogenies and outlines the progress towards obtaining a scalable EGA. In Sect. 4, we present the new orientation representation alongside the resulting group action formula. Section 5 introduces the SCALLOP-HD group action and provides example parameter choices. Section 6 discusses some remarks on the secruity of SCALLOP-HD. We conclude in Sect. 7 by summarizing the paper and discussing future work.

2 Preliminaries

2.1 Quaternion Algebras, Supersingular Elliptic Curves, Isogenies and the Deuring Correspondence

Quaternion Algebras. Let p be a prime and let \(\mathcal {B}_{p,\infty }\) denote the unique (up to isomorphism) quaternion algebra ramified precisely at p and \(\infty \). We fix a \(\mathbb {Q}\)-basis \(\langle 1, {\textbf {i}}, {\textbf {j}}, {\textbf {k}}\rangle \) of \(\mathcal {B}_{p,\infty }\) that satisfies \({\textbf {i}}^2=-q\), \({\textbf {j}}^2=-p\) and \({\textbf {k}}={\textbf {i}}{} {\textbf {j}}=-{\textbf {j}}{} {\textbf {i}}\) for some integer q. A fractional ideal I in \(B_{p,\infty }\) is a \(\mathbb {Z}\)-lattice of rank 4. We denote by n(I) the norm of I as the largest rational number such that \(n(\alpha ) \in n(I)\mathbb {Z}\) for any \(\alpha \in I\). An order \(\mathcal {O}\) is a subring of \(B_{p,\infty }\) that is also a fractional ideal. An order is called maximal when it is not contained in any other larger order. A fractional ideal is integral if it is contained in its left order \(\mathcal {O}_L(I) = \{\alpha \in \mathcal {B}_{p,\infty }\;|\; \alpha I \subset I \}\), or equivalently in its right order \(\mathcal {O}_R(I) = \{\alpha \in \mathcal {B}_{p,\infty }\;|\; I\alpha \subset I \}\).

Supersingular Elliptic Curves and Isogenies. Let \(E,E_1,E_2\) be elliptic curves defined over a finite field of characteristic p. An isogeny from \(E_1\) to \(E_2\) is a non-constant rational map that is simultaneously a group homomorphism. An isogeny from a curve E to itself is an endomorphism. The set \({{\,\textrm{End}\,}}(E)\) of all endomorphisms of E forms a ring under addition and composition. \({{\,\textrm{End}\,}}(E)\) is either an order in an imaginary quadratic field and E is called ordinary, or a maximal order in \(\mathcal {B}_{p,\infty }\), in which case E is called supersingular.

The Deuring Correspondence. Fix a supersingular elliptic curve \(E_0\), and an order \(\mathcal {O}_0 \simeq {{\,\textrm{End}\,}}(E_0)\). The curve/order correspondence allows one to associate to each outgoing isogeny \(\varphi : E_0 \rightarrow E_1\) an integral left \(\mathcal {O}_0\)-ideal, and every such ideal arises in this way (see [Koh96] for instance). Through this correspondence, the ring \({{\,\textrm{End}\,}}(E_1)\) is isomorphic to the right order of this ideal. This isogeny/ideal correspondence is defined in [Wat69], and in the separable case, it is explicitly given as follows.

Definition 1

Given I an integral left \(\mathcal {O}_0\)-ideal coprime to p, we define the I-torsion \(E_0[I]= \lbrace P \in E_0(\overline{\mathbb {F}}_{p^2}): \alpha (P)= 0 \text{ for } \text{ all } \alpha \in I \rbrace \). To I, we associate the separable isogeny \(\varphi _I\) of kernel \(E_0[I]\). Conversely given a separable isogeny \(\varphi \), the corresponding ideal is defined as \(I_\varphi = \lbrace \alpha \in \mathcal {O}_0 \;:\; \alpha (P) = 0 \text{ for } \text{ all } P \in \text {ker}(\varphi ) \rbrace \).

We summarize properties of the Deuring correspondence in Table 1, borrowed from [DFKL+20].

Table 1. The Deuring correspondence, a summary [DFKL+20].
Full size table

2.2 Quadratic Orders and Orientations on Supersingular Elliptic Curves

Let d be a positive square-free integer and \(K = \mathbb Q(\sqrt{-d})\) be an imaginary quadratic field with discriminant \(D_K\). Let \(\mathfrak {O}\subseteq K\) be an order with discriminant \(D_\mathfrak {O}\). Explicitly, \(\mathfrak {O} = \mathbb {Z}[\frac{D_\mathfrak {O}+\sqrt{D_\mathfrak {O}}}{2}]\). Any element \(\alpha \in \mathfrak {O}\) can be written as \(x+y\frac{D_\mathfrak {O}+\sqrt{D_\mathfrak {O}}}{2}\) with \(x,y\in \mathbb {Z}\), and \(\{1,\alpha \}\) is a \(\mathbb {Z}\)-basis of \(\mathfrak {O}\) if and only if \(y = 1\). One can compute the norm of \(\alpha \) and thus derive the norm form \(f_\mathfrak {O}\) of \(\mathfrak {O}\):

$$\begin{aligned} f_\mathfrak {O}(x,y) = x^2 + D_\mathfrak {O}xy + y^2 \frac{D_\mathfrak {O}(D_\mathfrak {O}-1)}{4}. \end{aligned}$$

For any order \(\mathfrak {O}\), the class group \(\text {Cl}(\mathfrak {O})\) consists of the invertible fractional ideals of \(\mathfrak {O}\) up to principal factors and is of order \(D_\mathfrak {O}^{o(1)}\). When \(\mathfrak {O}= \mathfrak {O}_K\) is the maximal order with discriminant \(D_K\), computing \(\text {Cl}(\mathfrak {O}_K)\) takes time \(L_{D_K}(1/2)\) classically [HM89] and polynomial time quantumly [BS16]. When \(\mathfrak {O}= \mathbb {Z}+ f\mathfrak {O}_K\) where f is a prime and \(\text {Cl}(\mathfrak {O}_K) = \{1\}\), there is a simple characterization of \(\text {Cl}(\mathfrak {O})\) as discussed in [DFK+23, Appx. A]. Specifically, \(\text {Cl}(\mathfrak {O})\) satisfies the following short exact sequence

$$\begin{aligned} 1\rightarrow \mathfrak {O}_K^*/\mathfrak {O}^* \rightarrow (\mathfrak {O}_K/(f))^*/(\mathfrak {O}/(f))^*\rightarrow \text {Cl}(\mathfrak {O})\rightarrow 1, \end{aligned}$$

and they showed that

$$(\mathfrak {O}_K/(f))^*/(\mathfrak {O}/(f))^*\cong {\left\{ \begin{array}{ll} \mathbb {F}_f^* \ \; &{}\text {if} \; f \text { splits in } K, \\ \mathbb {F}_{f^2}^*/\mathbb {F}_f^* \ \; &{}\text {if} \; f \text { is inert in } K. \\ \end{array}\right. }$$

In particular, this suggests that \(\text {Cl}(\mathfrak {O})\) is always cyclic for these orders as it is isomorphic to a quotient of a cyclic group, and \(\text {Cl}(\mathfrak {O})\) is easy to compute. Furthermore, this implies that \(\#\text {Cl}(\mathfrak {O}) = \left( f - \genfrac(){}{}{D_K}{f} \right) \frac{1}{|\mathfrak {O}_K^*|/2}\).

Quadratic orders and their class groups are playing an increasingly important role in isogeny-based cryptography, in particular since Colò and Kohel introduced orientations on supersingular elliptic curves in [CK20]. In what follows, we recall the basic definitions and important properties regarding orientations.

Definition 2

Let E be a supersingular elliptic curve over \(\mathbb F_{p^2}\), K be an imaginary quadratic field and \(\mathfrak {O}\subseteq K\) be a suborder. Then a K-orientation on E is a ring homomorphism \(\iota : K \hookrightarrow {{\,\textrm{End}\,}}(E)\otimes \mathbb Q\). This K-orientation induces an \(\mathfrak {O}\)-orientation on E if \(\iota (\mathfrak {O}) = {{\,\textrm{End}\,}}(E)\cap \iota (K)\). In this case, the pair \((E,\iota )\) is called a \(\mathfrak {O}\)-oriented curve and E is a \(\mathfrak {O}\)-orientable curve.

Note that here we use \(\mathfrak {O}\)-orientation to indicate the primitive \(\mathfrak {O}\)-orientation from [CK20].

Let \(E'\) be another supersingular curve and \(\varphi : E \rightarrow E'\) be an isogeny. Let \(\iota \) be a K-orientation on E, then there is an induced K-orientation \(\iota ' = \varphi _*(\iota )\) on \(E'\) defined to be \(\varphi _*(\iota )(\omega ) := \frac{1}{\deg (\varphi )} \varphi \circ \iota (\omega ) \circ \widehat{\varphi } \in {{\,\textrm{End}\,}}(E')\otimes \mathbb Q\). An isogeny of K-oriented elliptic curves \(\varphi : (E,\iota ) \rightarrow (E', \iota ')\) is an isogeny \(\varphi :E \rightarrow E'\) such that \(\iota ' = \varphi _*(\iota )\); we call this a K-oriented isogeny. A K-oriented isogeny is a K-isomorphism if it is an isomorphism of the underlying curves.

For a fixed imaginary quadratic order \(\mathfrak {O}\subseteq K\), we consider the collection of all \(\mathfrak {O}\)-oriented curves and define the following set:

$$\begin{aligned} \mathcal {S}_\mathfrak {O}(p)= \{(E,\iota )\mid (E,\iota ) \text{ is } \text{ an } \mathfrak {O}\text{-oriented } \text{ curve }\}/\sim , \end{aligned}$$

where two oriented curves are equivalent if they are K-isomorphic.

Here we recall the following conditions for the set \(\mathcal {S}_\mathfrak {O}(p)\) to be non-empty.

Proposition 3

([Onu21, Proposition 3.2]). The set \(\mathcal {S}_\mathfrak {O}(p)\) is not empty if and only if p does not split in K and does not divide the conductor of \(\mathfrak {O}\).

When \(\mathcal {S}_\mathfrak {O}(p)\) is non-empty, the set of invertible \(\mathfrak {O}\)-ideals acts on it. Specifically, let \(\mathfrak {a}\) be an such an ideal and \((E,\iota _E)\in \mathcal {S}_\mathfrak {O}(p)\), then

$$\begin{aligned} \mathfrak {a}\star (E,\iota _E): = (E_\mathfrak {a},\iota _{E_\mathfrak {a}}), \end{aligned}$$

where \(E_\mathfrak {a}\) is the codomain of the isogeny \(\phi _\mathfrak {a}\) whose kernel is \(E[\mathfrak {a}]:=\cap _{a\in \mathfrak {a}}\ker \iota _E(a)\) and \(\iota _{E_\mathfrak {a}}\) is the induced orientation on \(E_\mathfrak {a}\) by \(\phi _\mathfrak {a}\). Principal \(\mathfrak {O}\)-ideals act trivially on \((E,\iota _E)\), therefore this action induces an action of \(\text {Cl}(\mathfrak {O})\) on \(\mathcal {S}_\mathfrak {O}(p)\). It was shown in [Onu21] that this is action is free and it has one or two orbits.

2.3 New Isogeny Representation in Higher Dimensions

An isogeny representation is a way to effectively represent the isogeny so that there is an efficient algorithm for evaluating the isogeny on given points. Common representations include rational maps, isogeny chains, and kernel representation. However, these methods are no longer compact or efficient when the degree d of the isogeny is a large prime and the kernel points are defined over a large degree extension field of \(\mathbb F_p\).

The Deuring correspondence allows us to efficiently represent such isogenies with their corresponding ideals in maximal quaternion orders, this is call the ideal representation. This, however, reveals the endomorphism rings for both the domain and codomain curve. To remedy the situation, Leroux in [Ler22a] introduced another representation called the suborder representation which is not strictly an isogeny representation but satisfies a weaker definition as introduced in [CII+23] and requires to reveal the endomorphism ring of the domain curve.

Finally, Robert [Rob22] suggested to use the techniques used in SIDH attacks [CD23, MMP+23, Rob23] to obtain a new isogeny representation, by embedding the desired isogeny between supersingular elliptic curves into an isogeny between abelian varieties of higher dimension. While not named as such in Robert’s paper, we refer to it as high dimension representation in our paper. This new representation doesn’t reveal the endomorphism rings and is much more efficient than suborder representation. It consists only of evaluation of the isogeny to be represented on points of smooth order, and in the right setting it can be pretty easy to compute. While used destructively at first, it has been recently used constructively for building various protocols [DLRW23, Ler23, BMP23, DMS23]. For a detailed account of of the “old" isogeny representations, like the kernel or ideal representation, see [Ler22b]. In what follows, we explain in more details the idea of high dimension representation in dimension 2. The main result behind this representation is Kani’s Lemma [Kan97] that we present below as Lemma 4.

Lemma 4

(Kani). Let us consider a commutative diagram of isogenies between principally polarized abelian varieties of dimension g

figure a

where \(\varphi \) and \(\varphi '\) are a-isogenies and \(\psi \) and \(\psi '\) are b-isogenies for integers ab. The isogeny \(F: A\times B'\longrightarrow B\times A'\) given in matrix notation by

$$F:=\left( \begin{matrix} \varphi &{} \widetilde{\psi '}\\ -\psi &{} \widetilde{\varphi '} \end{matrix}\right) $$

is a d-isogeny between abelian varieties of dimension 2g with \(d=a+b\), for the product polarisations.

If \(\ker \widetilde{\varphi }\cap \ker \psi ' = \lbrace 0 \rbrace \), the kernel of F is

$$\begin{aligned} \ker (F)=\{(\widetilde{\varphi }(x),\psi '(x))\mid x\in B[d]\}. \end{aligned}$$

Similarly, if \(\ker \varphi \cap \ker \psi = \lbrace 0 \rbrace \), then

$$\begin{aligned} \ker ( \widetilde{F})=\{(\varphi (x),\psi (x))\mid x\in A[d]\}. \end{aligned}$$

The commutative diagram in Lemma 4 is often called as an isogeny diamond. Following the notations introduced in [Ler23], we call a \( 2 \textsf{dim}\)-representation of an isogeny \(\varphi : A \rightarrow B\) between two elliptic curves AB any data from which the isogeny F obtained by applying Lemma 4 with \(g=1\) can be computed efficiently. The idea is that \(\varphi \) can be recovered from F by pre-composition with any embedding \(A \rightarrow A \times B'\) that acts as the identity on A, and post-composition with the canonical projection \(B \times A' \rightarrow B\).

To represent the orientation of our SCALLOP-HD group action in Sect. 4.1, we will use the \( 2 \textsf{dim}\)-representation of an endomorphism with a commutative diagram obtained from two commuting endomorphisms.

Remark 5

One could also embed the isogeny \(\varphi \) in isogenies between abelian varieties in dimension 4 or 8, as discussed for the SQISignHD protocol in [DLRW23]. The higher the dimension, the easier it is to generate the isogeny diamond, however, the complexity of computing isogenies between abelian varieties scales exponentially with the dimension. This is why it is generally better to use the smallest possible dimension. In SQISignHD, it is argued that dimension 2 isogenies do not provide a clear advantage over the original SQISign scheme [DFKL+20] due to the complexity to set-up the isogeny diamond, which is the main reason why SQISignHD works with dimension 4 and dimension 8. In our case, thanks to the idea of using isogeny diamond built from commuting endomorphisms, we will be able to work dimension 2 to achieve better efficiency.

3 Group Action in Isogeny-Based Cryptography

Informally, a group action is a map of the form \(\star : G\times X \rightarrow X\), where G is a group and X is a set, such that for any \(g_1,g_2\in G\) and any \(x\in X\), we have

$$\begin{aligned} g_1\star (g_2\star x) = (g_1g_2)\star X. \end{aligned}$$

We revisit here the concepts of effective group action (EGA) and restricted effective group action (REGA) from [ADFMP20], which capture the essence of two types of group actions used in isogeny-based cryptography. To clarify the distinction between the two and align with subsequent discussions, we exclude details concerning the set X — specifically, membership testing, unique representation, and the existence of the origin in X.

Definition 6

(EGA) A group action \((G,X,\star )\) is effective if the following properties are satisfied:

  1. 1.

    The group G is finite and there exist efficient (PPT) algorithms for:

    1. (a)

      Membership testing, i.e., to decide if a given bit string represents a valid group element in G.

    2. (b)

      Equality testing, i.e., to decide if two bit strings represent the same group element in G.

    3. (c)

      Sampling, i.e., to sample an element g from a distribution \(\mathcal {D}_G\) on G.

    4. (d)

      Operation, i.e., to compute gh for any \(g,h\in G\).

    5. (e)

      Inversion, i.e., to compute \(g^{-1}\) for any \(g\in G\).

  2. 2.

    There exists an efficient algorithm that given (some bit-string representation of) any \(g\in G\) and any \(x\in X\), outputs \(g\star x\).

Definition 7

(REGA) Let \((G,X,\star )\) be a group action and let \(\textbf{g} = \{g_1,\ldots ,g_n\}\) be a (not necessarily minimal) generating set for G. The action is said to be \(\textbf{g}\)-restricted effective if the following properties are satisfied:

  1. 1.

    G is finite and \(n = \textsf{poly}(\log |G|)\).

  2. 2.

    There exists an efficient algorithm that given any \(i\in [n]\) and any bit string representation of \(x\in X\), outputs \(g_i \star x\) and \(g_i^{-1}\star x\).

Existing instantiation of this definition from isogenies are all based on the ideal class group action. Specifically, it’s the action of \(\text {Cl}(\mathfrak {O})\) on \(\mathcal {S}_\mathfrak {O}(p)\) for some imaginary quadratic \(\mathfrak {O}\) as defined in Sect. 2.2. This action can be made a REGA immediately by choosing a generating set \(\textbf{g} = \{\mathfrak {l}_1,\ldots ,\mathfrak {l}_n\}\), where each \(\mathfrak {l}_i\) is a prime ideal of small norm. To further convert this action into an EGA, challenges arise in sampling elements from a distribution \(\mathcal {D}_G\) on G, and computing the action \(g\star x\) for \(g\in G\) sampled from \(\mathcal {D}_G\) and \(x\in X\). In this paper, we restrict our interest to the uniform distribution \(\mathcal {U}_G\).

In [BKV19], Beullens, Kleinjung, and Vercauteren laid out a general strategy to turn the class group action from a REGA to an EGA as follows:

  1. 1.

    Offline phase:

    1. 1.1

      Class group computation - Compute a generator \(\mathfrak {g}\) of the class group \(\text {Cl}(\mathfrak {O})\), which is possible because generically \(\text {Cl}(\mathfrak {O})\) is cyclic.

    2. 1.2

      Construct the lattice of relations \(\mathcal {L}\) - This lattice is generated by the column vectors of the following matrix

      $$\begin{pmatrix} 1 &{} 0 &{} 0 &{} \dots &{} 0&{}0 \\ 0 &{} 1 &{} 0 &{} \dots &{} 0&{}0 \\ 0 &{} 0 &{} 1&{} \dots &{} 0&{}0\\ \vdots &{} \vdots &{} \vdots &{} \ddots &{} \vdots &{} \vdots \\ 0&{}0&{}0&{}\dots &{}1&{}0\\ r_1 &{} r_2 &{}r_3 &{} \dots &{}r_n&{} \#\text {Cl}(\mathfrak {O}) \end{pmatrix},$$

      where \(r_i's\) are integers such that \([\mathfrak {l}_i] = [\mathfrak {g}^{r_i}]\).

    3. 1.3

      Lattice reduction - Compute a reduced basis of \(\mathcal {L}\) suitable for solving approximate-CVP.

  2. 2.

    Online phase:

    1. 2.1

      Solve approximate-CVP - Given \(\mathfrak {g}^e\in \text {Cl}(\mathfrak {O})\), solve approximate-CVP to find a decomposition \(\mathfrak {g}^e = \prod _{i=1}^{i=n}\mathfrak {l}_i^{e_i}\) with small exponents.

    2. 2.2

      Group action evaluation - Compute the action \((\prod _{i=1}^{i=n}\mathfrak {l}_i^{e_i})\star (E,\iota _E)\) for \((E,\iota _E)\in \mathcal {S}_\mathfrak {O}(p)\).

This strategy allowed Beullens, Kleinjung and Vercauteren to extend the REGA behind the CSIDH key exchange [CLM+18] to an EGA, leading to the construction of the signature scheme CSI-FiSh. They worked with the imaginary quadratic order \(\mathbb {Z}[\sqrt{-p}]\) which has a discriminant of 154 digits. The primary challenge for them was computing the class group \(\text {Cl}(\mathbb {Z}[\sqrt{-p}])\), and the remaining steps were efficient, essentially due to the fact that they could use a relatively small n and consequently, a lattice with rather small dimension. However, their method can’t be scaled for bigger prime p due to the infeasibility of the class group computations.

To address this, SCALLOP [DFFK+23] proposed the use of a distinct class of quadratic orders of the form \(\mathfrak {O}= \mathbb {Z}[f\sqrt{-d}]\), where f is a large prime and d is a small positive integer. While this sidesteps the class group computation challenges as discussed in Sect. 2.2 and enhances scalability, it introduces representation complexities for the set elements—oriented curves \((E,\iota _E)\). In order to achieve an efficient representation, an generator of \(\mathfrak {O}\) of smooth norm should be found, constraining the choice of f and yielding a class group with a non-smooth size. Consequently, the second step of precomputation—computing the lattice of relation—remains subexponential in time due to the need to solve discrete logarithms in groups with subexponential order sizes. Moreover, SCALLOP demands more computations to perform the group action, rendering it much slower than CSI-FiSh.

The security of CSIDH, CSI-FiSh and SCALLOP relies on the hardness of the vectorization problem. Abstractly, for a transitive group action, this problem is defined as follows.

Problem 8

(Vectorization) Given \(x,y\in X\), find \(g\in G\) such that \(y=g\star x\).

According to [Wes22, Proposition 3], the fastest known generic classically method to solve the vectorization problem associated to the group action has complexity \(l^{O(1)}|D_\mathfrak {O}|^{1/4}\) where l denotes the length of the input. In the setting of SCALLOP, this is \(\log (p+|D_\mathfrak {O}|)^{O(1)}\min (p^{1/2},f^{1/2})\) [DFFK+23, Section 4].

The main quantum approach to solve the vectorization problem is given by Kuperberg’s abelian hidden-shift algorithm [Kup05] and descendants, where the hidden “shift" corresponds to the secret group element g given x and \(y=g\star x\). Even though it is known to take subexponential time L[1/2], determining the precise quantum cost for concrete group actions appears difficult. Since 2020, a series of papers [BLMP19, BS20, Pei20, CSCDJRH22] has been studying the quantum security of CSIDH, with some authors claiming that CSIDH-512 and CSIDH-1024 fall far short of reaching NIST security level 1. Instead, [BS20] recommended that the CSIDH prime p should be upgraded to at least 2260 or 5280 bits, according to what they named as aggressive and conservative modes, respectively. [CSCDJRH22] recommended to use a CSIDH prime of 4096 bits for the level 1 security and 6144 bits for level 2. These analyses, together with the desire of obtaining EGAs from isogenies, have spurred the motivation to improve the scaling of isogeny-based group actions to larger sizes. Since the known quantum attacks work essentially the same for all CRS-style group actions, we will also model the security of SCALLOP using the analyses for CSIDH. Specifically, this means we match the size of the class group \(\#\text {Cl}(\mathfrak {O})\) with that of CSIDH to estimate the quantum security level of SCALLOP. In this line of research, CSI-FiSh was only able to scale to achieve the security level of CSIDH-512, and SCALLOP managed to scale to achieve the security level of CSIDH-1024.

4 \( 2 \textsf{dim}\)-Representation of Orientations and Endomorphisms

In this section, we introduce a new representation called \( 2 \textsf{dim}\)-representation of orientations and endomorphisms. Since representing an endomorphism \(\theta \) amounts to representing any \(\theta + n \in \mathbb {Z}[\theta ]\), representing orientations and endomorphisms are essentially the same thing in different languages. Therefore, even though the results in this section are mostly stated with respect to orientations, they apply to endomorphisms as well.

In Sect. 4.1, we introduce the definition of our \( 2 \textsf{dim}\)-representation for orientations and discuss how to recover the orientation from the \( 2 \textsf{dim}\)-representation, then in Sect. 4.2, we show that any orientation (endomorphism) admits a \( 2 \textsf{dim}\)-representation that can be computed in polynomial time. Finally, in Sect. 4.3, we conclude with a formula that computes the \(\text {Cl}(\mathfrak {O})\)-action on the set \(\mathcal {S}_\mathfrak {O}(p)\) with set elements given by \( 2 \textsf{dim}\)-representations.

While our \( 2 \textsf{dim}\)-representation is introduced to represent orientations appearing in SCALLOP-HD, this technique also has other applications in isogeny-based cryptography.

4.1 \( 2 \textsf{dim}\)-Representation

Let \((E,\iota _E)\) be an \(\mathfrak {O}\)-oriented supersingular elliptic curve. Motivated by the idea of \( 2 \textsf{dim}\) representation of isogenies, we introduce the following definition.

Definition 9

Let \(\mathfrak {O}\) be an imaginary quadratic order with discriminant \(D_\mathfrak {O}\) and odd conductor f. Given an \(\mathfrak {O}\)-oriented supersingular elliptic curve \((E,\iota _E)\), take any \(\omega \in \mathfrak {O}\) such that \(\mathfrak {O}= \mathbb {Z}[\omega ]\) and define \(\omega _E:=\iota _E(\omega )\). Let \(\beta \in \mathfrak {O}\) such that \(n(\omega )+n(\beta )=2^e\) and \(\gcd (n(\beta ),n(\omega )) =1\). Let PQ be a basis of \(E[2^e]\). Then the tuple \((E,\omega ,\beta ,P,Q,\omega _E(P),\omega _E(Q))\) is called a \( 2 \textsf{dim}\)-representation of \((E,\iota _E)\).

Given a \( 2 \textsf{dim}\)-representation \((E,\omega ,\beta ,P,Q,\omega _E(P),\omega _E(Q))\) of \((E,\iota _E)\), let \(\beta _E := \iota _E(\beta )\), we immediately have the following isogeny diamond.

figure b

From here, we can define an isogeny \(F_E:E^2\rightarrow E^2\) by the matrix

$$F_E:=\left( \begin{array}{cc} \hat{\omega }_E &{} \hat{\beta }_E\\ -\beta _E &{} \omega _E \end{array}\right) .$$

And as discussed in Sect. 2.3, if \(\ker \omega _E\cap \ker \beta _E = \{0\}\), then

$$\begin{aligned} \ker F_E = \{(\omega _E(R),\beta _E(R))\mid R \in E[2^e]\}. \end{aligned}$$

Since \(\beta \) is a translated scalar multiplication of \(\omega _E\), knowing the evaluation of \(\omega _E\) on \(E[2^e]\) suffices to compute \(\ker F_E\), and to compute the endomorphism \(\omega _E\).

4.2 Computing a \( 2 \textsf{dim}\)-Representation

Now, we explain how to compute a \( 2 \textsf{dim}\)-representation for an \(\mathfrak {O}\)-orientation when the discriminant \(D_\mathfrak {O}\) is equal to \(5 \bmod 8\).

Proposition 10

Let \(\mathfrak {O}\) be an imaginary quadratic order of discriminant equal to \(5 \bmod 8\), then any \((E,\iota _E)\in \mathcal {S}_\mathfrak {O}(p)\) admits a \( 2 \textsf{dim}\)-representation as in Definition 9.

Proof

To prove this result, it suffices to show that we can always find \(e \in \mathbb {N}, \omega , \beta \in \mathfrak {O}\) such that

$$\mathfrak {O}= \mathbb {Z}[\omega ], \quad \gcd (n(\omega ),n(\beta )) =1, \quad n(\omega )+n(\beta ) = 2^e.$$

Using the explicit representation of \(\mathfrak {O}\) given in Sect. 2.2, \(\omega = x + \frac{D_\mathfrak {O}+\sqrt{D_\mathfrak {O}}}{2}\) and \(\beta = y + z \frac{D_\mathfrak {O}+\sqrt{D_\mathfrak {O}}}{2}\) for some integers xyz. Therefore, the last condition above translates to finding an integer solution to the following equation:

$$\begin{aligned} x^2 + D_\mathfrak {O}x + \frac{D_\mathfrak {O}(D_\mathfrak {O}-1)}{4} + y^2 + D_\mathfrak {O}yz + \frac{D_\mathfrak {O}(D_\mathfrak {O}-1)}{4}z^2 = 2^e. \end{aligned}$$
(1)

Rewriting  Eq. (1) and multiplying both sides by 4 gives rise to the following:

$$\begin{aligned} (2x+D_\mathfrak {O})^2 + (2y + D_\mathfrak {O}z)^2 = 2^{e+2} +D_\mathfrak {O}(z^2+1). \end{aligned}$$
(2)

This equation can be solved efficiently by taking a random z and trying to express \(2^{e+2} + D_\mathfrak {O}(1+z^2)\) as a sum of two-squares with Cornacchia’s algorithm. When e is large enough, we will be able to try enough z that one will give a solution. No matter what value of z we choose, we see that \(2^{e+2}+ D_\mathfrak {O}(1+z^2)\) is either equal to 1 mod 4 or 2 times a number that is equal to 1 mod 4. As all numbers that can be written as a sum of two squares satisfy this constraint, we see that there is no obstacle there. Moreover, when \(D_\mathfrak {O}= 5 \bmod 8\), we can see that the norm of \(\omega = x + \frac{D_\mathfrak {O}+ \sqrt{D_\mathfrak {O}}}{2}\) is always odd. Thus, \(n(\omega )\) and \(n(\beta )\) are coprime since they sum to a power of 2.    \(\square \)

We now detail the resolution of Eq. (2) with the OrientDiamondDim2 algorithm. The name suggests this algorithm is for building an isogeny diamond for a \( 2 \textsf{dim}\)-representation of an orientation. Proposition 12 shows that such a diamond can be constructed in polynomial time. We also consider a constant C that is an implicit parameter of OrientDiamondDim2.

Algorithm 1
figure c

. \(\textsf {OrientDiamondDim2}(D_\mathfrak {O})\)

Full size image

The complexity statement on Algorithm 1 only holds assuming some plausible heuristic regarding the distribution of number of the form \(2^e + D (1+z^2)\) that we state below as Heuristic 11.

Heuristic 11

Let \(e, D_\mathfrak {O}\) be as in Algorithm 1. If \(D_\mathfrak {O}= 5 \bmod 8\), and z are sampled as random integers then the integers \(2^{e+2} + D_\mathfrak {O}(1+z^2)\) behave like random integers of the same size that are either congruent to \(1 \bmod 4\) or equal to 2 times an integer that is equal to 1 modulo 4.

Proposition 12

Assuming Heuristic 11, and \(D_\mathfrak {O}= 5 \bmod 8\), \(\textsf {OrientDiamond}\textsf {Dim2}\) is correct, runs in \(O\left( \textsf{poly}\left( C\log (|D_\mathfrak {O}|)\right) \right) \), and there exists a constant \(C'\) such that the computation has succeeded with probability at least:

$$1 - (1 - C'/\log (|D_\mathfrak {O}|))^{ \sqrt{C \log (D_\mathfrak {O})}}.$$

Proof

The correctness of Algorithm 1 follows from the observation that the outputs \(\omega ,\beta \) will always satisfy that \(\mathfrak {O}= \mathbb {Z}[\omega ], \gcd (n(\omega ),n(\beta ))=1\) and \(n(\omega )+n(\beta ) = 2^e.\) In particular, M is either congruent to \(1\bmod 4\) or equal to 2 times an integer that is congruent to \(1 \bmod 4\) depending on the parity of z, then at least one of XY is odd. In either cases, both \(X-D_\mathfrak {O}\) and \(Y-zD_\mathfrak {O}\) will be even.

The complexity follows from the fact that we perform \(O(\sqrt{C \log (|D_\mathfrak {O})|}\) iteration of the loop and that the operations required inside each iteration are logarithmic in \(|D_\mathfrak {O}|\). The integers M have size \(C (\log |D_\mathfrak {O}|) |D_\mathfrak {O}|\) and we assume that they behave like random integers under Heuristic 11, therefore there is a constant \(C'\) such that either M/2 or M is prime with probability higher than \(C'/(\log |D_\mathfrak {O}|)\). The bound on the success probability follows directly from there.    \(\square \)

Remark 13

We choose to work with isogenies in dimension 2 of degree \(N = 2^e\) for efficiency of computing such isogenies in practice, and we later choose p such that \(2^e\)-torsion is defined over \(\mathbb F_{p^2}\) in the set up of SCALLOP-HD. However, our definition for \( 2 \textsf{dim}\)-representation and OrientDiamondDim2 easily generalizes to general degree N. Explicitly, it suffices to require that

$$n(\omega )+n(\beta ) = N$$

in Definition 9, and to solve the equation

$$ (2x+D_\mathfrak {O})^2 + (2y + D_\mathfrak {O}z)^2 = 4N +D_\mathfrak {O}(z^2+1)$$

to find \(\omega ,\beta \). This equation can be solved similarly except that one needs to impose a different congruence condition on \(D_\mathfrak {O}\) with respect to that of N to ensure that the right hand side is a sum of two squares with non-negligible probability. One particular interesting case is when N is chosen to be powersmooth as in this case the torsion subgroup E[N] can be effectively represented. Despite the condition that \(D_\mathfrak {O}\equiv 5 \bmod 8\) in Proposition 10, this remark justifies our claim that every orientation and endomorphism can be effectively represented by an isogeny in between abelian surfaces.

Remark 14

By choosing N to be powersmooth, our \( 2 \textsf{dim}\)-representation can be applied to [HW23, Algorithm 1] to replace the isogeny computations in dimension 8 with computations in dimension 2, improving its efficiency.

4.3 Class Group Action Evaluation

Let \([\mathfrak {a}]\in \text {Cl}(\mathfrak {O})\) where \(\mathfrak {a}\) is an integral \(\mathfrak {O}\)-ideal such that \(\gcd (n(\mathfrak {a}),2)=1\). We now explain how to calculate the group action introduced in Sect. 2.2 in the context of the \( 2 \textsf{dim}\)-representation.

Let \((E,\omega ,\beta ,P,Q,\omega _E(P),\omega _E(Q))\) be a \( 2 \textsf{dim}\)-representation of \((E,\iota _E)\), to calculate a \( 2 \textsf{dim}\)-representation for \((E_\mathfrak {a},\iota _{E_\mathfrak {a}})\), we can keep the same \(\omega \) and \(\beta \). Since \(\gcd (n(\mathfrak {a}),2)=1\), \(\{\phi _\mathfrak {a}(P),\phi _\mathfrak {a}(Q)\}\) form a basis of \(E_\mathfrak {a}[2^e]\). By definition,

$$\iota _{E_\mathfrak {a}}(\phi _\mathfrak {a}(P,Q)) = \frac{1}{n(\mathfrak {a})}\phi _\mathfrak {a}\circ \omega _E \circ \hat{\phi }_\mathfrak {a}(\phi _\mathfrak {a}(P,Q)) = \phi _\mathfrak {a}(\omega _E(P,Q)).$$

Let \(\lbrace R,S\rbrace \) be a basis for \(E_\mathfrak {a}[2^e]\), such as the one computed by a deterministic algorithm that computes a basis. Given \(P,Q,\omega _E(P),\omega _E(Q)\in E[2^e]\), to compute \(\iota _{E_\mathfrak {a}}(\omega )(R)\) and \(\iota _{E_\mathfrak {a}}(\omega )(S)\), we first write RS as linear combinations of \(\phi _\mathfrak {a}(P)\) and \(\phi _\mathfrak {a}(Q)\), then compute \(\iota _{E_\mathfrak {a}}(\omega )(R)\) and \(\iota _{E_\mathfrak {a}}(\omega )(S)\) from \(\iota _{E_\mathfrak {a}}(\phi _\mathfrak {a}(P))=\phi _\mathfrak {a}(\omega (P))\) and \(\iota _{E_\mathfrak {a}}(\phi _\mathfrak {a}(Q))=\phi _\mathfrak {a}(\omega (Q))\).

5 SCALLOP-HD Group Action

In this section, we introduce SCALLOP-HD, an effective group action (EGA). SCALLOP-HD builds on SCALLOP by using the same group action, i.e., \(\text {Cl}(\mathfrak {O})\) acts on \(\mathcal {S}_\mathfrak {O}(p)\) for \(\mathfrak {O}= \mathbb {Z}[f\sqrt{-d}]\). However, SCALLOP-HD deviates from SCALLOP by representing the set elements differently. Precisely, SCALLOP-HD uses the \( 2 \textsf{dim}\)-representation for \((E,\iota _E)\in \mathcal {S}_\mathfrak {O}(p)\). It turns out that this choice significantly simplifies the group action computation, and removes some of the constraints on parameter choices, which essentially is due to the fact that we no longer need to find a generator of \(\mathfrak {O}\) of smooth norm, removing the trade-off between the smoothness of the generator norm and the group size \(\#\text {Cl}(\mathfrak {O})\). As has been mentioned before, SCALLOP-HD has better scalability and has the potential of being more efficient.

5.1 Outline of SCALLOP-HD

It is clear from Sect. 3 that to introduce an EGA using the class group action, one needs to

  • specify the group and the set,

  • convert the action into a REGA by choosing the set \(\textbf{g}\) as in Definition 7,

  • and derive an EGA following the stragety outlined in Sect. 3.

To define the group action, we start with choosing the field characteristic p and the quadratic order \(\mathfrak {O}\), they determine the group \(\text {Cl}(\mathfrak {O})\) and the set \(\mathcal {S}_\mathfrak {O}(p)\). When making these choices, there are two aspects one needs to take into consideration – first, from a security point of view, the vectorization problem of the action should be hard; second, from an efficiency point of view, p should be of a particular form so that the torsion points involved in subsequent calculations are defined over \(\mathbb F_{p^2}\), and additionally \(\mathfrak {O}\) should be an order for which \(\#\text {Cl}(\mathfrak {O})\) is as smooth as possible for an efficient generation of the lattice of relation \(\mathcal {L}\) (Sect. 3). In SCALLOP-HD, each element \((E,\iota _E)\) will be given using the \( 2 \textsf{dim}\)-representation, and we also specify the relevant parameters \(\omega ,\beta \) as a part of the group action definition. We discuss the details in Sect. 5.2.

To perform the group action, it’s essential to possess an element from the set \(\mathcal {S}_\mathfrak {O}(p)\). Acquiring this element, given our choice of \(\mathfrak {O}\), isn’t straightforward. We introduce the SetUpCurveHD algorithm in Sect. 5.3 specifically for this purpose.

Once the group action is set up, we proceed in the conventional manner to convert it into a REGA. Let \(\{\ell _1,\ldots ,\ell _n\}\) be the first n odd primes that split in \(\mathfrak {O}\) for \(n=O(\log f)\), then we choose the set \(\textbf{g}\) to consist of the ideals \(\{\mathfrak {l}_1,\ldots ,\mathfrak {l}_k\}\) with \(\mathfrak {l}_i\) being one of the prime ideal above \(\ell _i\). To further convert the REGA to an EGA, the offline phase is discussed in Sect. 5.4 and the online phase is discussed in Sect. 5.5.

5.2 Set Up the Group Action

In this section, we explicit various choice of parameters for setting up the group action.

Choice of the Quadratic Order. Let \(\mathfrak {O}_0 = \mathbb {Z}[\sqrt{-d}]\) be an imaginary quadratic order of class number equal to 1 and discriminant equal to \(d = 5 \bmod 8\), as in SCALLOP, we choose \(\mathfrak {O}\) to be of the form \(\mathbb {Z}+f\mathfrak {O}_0\) for a large prime f. The size of f will be determined by the target security level. For the efficient precomputation of the lattice of relations (elaborated further in Sect. 5.4), we want to ensure that \(\#\text {Cl}(\mathfrak {O}) = f-\genfrac(){}{}{-d}{f}\) is as smooth as possible. Such a prime integer f can be found efficiently in polynomial time by generating random smooth integers and see whether they are of the form \(f-\genfrac(){}{}{-d}{f}\).

Choosing the Field Characteristic p. To ensure that the set \(\mathcal {S}_\mathfrak {O}(p)\) is non-empty, we need to choose p that does not split in \(\mathfrak {O}\) and does not divide the conductor f according to Proposition 3. Moreover, the form of p is determined by the torsion subgroups needed. To efficiently represent the orientation, we require that \(2^{e}\)-torsion is defined over \(\mathbb F_{p^2}\). For efficient computation of the group action, we also require to have the \(\prod _{1 \le i \le n} \ell _i\)-torsion defined over \(\mathbb F_{p^2}\). These conditions on torsion points amounts to selecting a prime of the form:

$$\begin{aligned} p = c 2^e \prod _{i=1}^n \ell _i \pm 1, \end{aligned}$$

where c is a small cofactor.

Representing the Orientation. Recall that a \( 2 \textsf{dim}\)-representation of an orientation is given by the tuple \((E,\omega ,\beta ,P,Q,\omega _E(P),\omega _E(Q))\). Once we have fixed \(\mathfrak {O}\) from the previous discussion, we can determine the integer e and \( \omega ,\beta \in \mathfrak {O}\) for instance using the OrientDiamondDim2 algorithm.

In SCALLOP-HD group action, \(\omega ,\beta \) will be part of public parameters, therefore, they can be omitted from the orientation representation. Furthermore, we can use a deterministic algorithm that computes a basis of \(E[2^e]\) for any curve E, this way we omit PQ from the representation to make it even compacter. That being said, in the actual application of SCALLOP-HD group action, the orientation representation will be of the form \((E,\omega _E(P),\omega _E(Q))\).

5.3 Set Up a Starting Curve

The computation of one \(\mathfrak {O}\)-oriented curve is necessary to set-up the scheme. This starting curve can be used to generate every other oriented curve by applying the group action. Concretely, computing one \( 2 \textsf{dim}\)-representation for a \(\mathfrak {O}\)-oriented curve means the following: compute any f-isogeny starting from an \(\mathfrak {O}_0\)-oriented curve \(E_0\) and evaluate it on a basis of \(E_0[2^e]\).

For this, we propose to revisit SetUpCurve [DFFK+23, Algorithm 1] as our setting remains very similar to SCALLOP. Since the conductor f is a big prime, we cannot hope to compute any isogeny of degree f directly. The trick behind SetUpCurve is to use an endomorphism of norm fS where S is a smooth integer and to express the f isogeny as the composition of this endomorphism and an isogeny of degree S. Such endomorphisms can be found with the FullRepresentInteger [DFLLW23, Algorithm 1] as soon as \(f S \approx p\). Since our ultimate goal is to evaluate the orientation on the \(2^e\) torsion, the best option would be to take S coprime to 2, and with our choice of prime characteristic, we would have \( S = \prod _i \ell _i\). Unfortunately, since \(2^e \approx f^2\), we have \(f \prod _i \ell _i \approx p/f\). This means that we must include other factors in S to reach the desired size. The only remaining available torsion is the power of 2. Since \(2^{e/2} \approx f\), we should have \(f 2^{e/2} \prod _i \ell _i \approx p\). This means that we will be able to find endomorphisms of norm \(\ell _1^h f 2^{e/2} \prod _{i > 1} \ell _i \) for some small exponent h. In that case, we can circumvent the fact that S is not coprime to 2 by using a trick presented in [DLRW23, Sect. 5.4] to cut the computation of the 2-dimensional isogeny in two, which allows us to divide by two the torsion requirement. For the group action computation, we prefer to use the full \(2^e\)-torsion because the computation is more direct, but for the set-up of the scheme it is not a problem to sacrifice a bit of efficiency. The idea we just outlined gives the algorithm SetUpCurveHD that we describe below.

We start with an element \((E_0,\iota _0)\in \mathcal {S}_{\mathfrak {O}_0}(p)\). Let \(\mathcal {O}_0\) be a maximal quaternion order such that \({{\,\textrm{End}\,}}(E_0) \cong \mathcal {O}_0\), and we can fix an explicit isomorphism \(\rho _0 : \mathcal {O}_0 \hookrightarrow {{\,\textrm{End}\,}}(E_0)\), we write \(\omega _0\) for \(\iota _0(\sqrt{-d})\). Then, the orientation \(\iota _0\) is derived from the inclusion \(\mathfrak {O}_0 \subseteq \mathcal {O}_0\) and the isomorphism \(\rho _0\).

Algorithm 2
figure d

. \(\textsf {SetUpCurveHD}(p,f)\)

Full size image

Proposition 15

SetUpCurveHD is correct and terminates in \(O(c \textsf{poly}(\log (p) )\).

Proof

To prove correctness, we need to verify that the output (E, (RS)) is a correct \( 2 \textsf{dim}\)-representation of an element in \(\mathcal {S}_\mathfrak {O}(p)\). Let us assume that the verification made in the loop passed. We will start by proving correctness under that assumption, then we will justify why the verification always passes.

When the verification passes, it means that there exists \(\omega _E \in {{\,\textrm{End}\,}}(E)\) of same norm and trace as \(\omega \). Thus, \(\mathbb {Z}[\omega _E] \cong \mathbb {Z}[\omega ]=\mathfrak {O}\), and sending \(\omega \) to \(\omega _E\) defines a \(\mathfrak {O}\)-orientation \(\iota _E\) on E (we explain later in the proof why this is an optimal embedding of \(\mathfrak {O}\) into \({{\,\textrm{End}\,}}(E)\)). Moreover, \(R,S = \omega _E(P,Q)\) for a deterministic basis \(\{P,Q\}\) of \(E[2^e]\). Therefore, \((E,(R,S)) = (E,\omega _E(P,Q))\) is a valid \( 2 \textsf{dim}\)-representation of \((E,\iota _E)\in \mathcal {S}_\mathfrak {O}(p)\).

Now, let us justify that there always is an i that passes the verification. The element \(\gamma \in \mathcal {O}_0\) provides us with a principal ideal \(\mathcal {O}_0 \gamma \), whose corresponding isogeny \(\rho _0(\varphi _\gamma )\) is an endomorphism of \(E_0\). Moreover, we have that (up to composing with some isomorphisms if necessary) \(\varphi _\gamma = \psi ' \circ \varphi \circ \varphi _f\) where \(\varphi _f : E_0 \rightarrow E \) has degree f, \(\varphi : E \rightarrow E'\) has degree \(\ell _1^{h-1}\) and \(\psi ' : E' \rightarrow E_0\) has degree \(2^{e/2} \prod _i \ell _i\). By [DFFK+23, Proposition 16], E is an \(\mathfrak {O}\)-orientable curve unless \(\varphi _f\) corresponds to one of the \(1 + \left( \frac{d_0}{f} \right) \) horizontal f-isogenies of domain \(E_0\). Let us assume for now that it is not. The endomorphism \(\omega _E =\iota _E(\omega )\) is equal to \([x] + \varphi _f \circ \omega _0 \circ \hat{\varphi }_f\). By design, the ideal \(\langle {\overline{\gamma },2^{e/2} \prod _{i} \ell _i}\rangle \) corresponds to the isogeny \(\hat{\psi }'\). Thus, we have that the isogeny \(\psi \) computed in Step 2, is the isogeny \(\hat{\psi }'\). Then, if we take the index \(i_0\) such that \(\varphi _{i_0} = \hat{\varphi }\), we get that \(E_{i_0} \) is the curve E that we are looking for. Then, it can be verified that \(P_{i_0},Q_{i_0}\) is equal to \([2^{e/2}]\varphi _f(P_0,Q_0)\), so it is a basis of \(E_{i_0} [2^{e/2}]\). It can also be verified that the equality \(R_{i_0},S_{i_0} = \varphi _f \circ \omega _0 \circ \hat{\varphi }_f (P_{i_0},Q_{i_0})\). From there, the image points \(\omega _E(P_{i_0},Q_{i_0})\) and \(\beta _E(P_{i_0},Q_{i_0})\) can be recovered, and this is enough to build the two isogenies \(\hat{F}_2\) and \(F_1\) as described in [DLRW23, Appendix A.4]. Then, F is the correct endomorphism on \(E^2\) constructed from isogeny diamond formed by \(\omega _E\) and \(\beta _E\), and so the check for norm and trace equality will pass.

To finish the proof of correctness, we simply need to prove that the case where \(\varphi _f\) might be one of the bad isogenies cannot happen. In that case, we have that \(\varphi _f\) is one of the horizontal isogenies and since \(\mathfrak {O}_0\) has class number one, this means that \(\varphi _f\) commutes with \(\omega _0\) which is equivalent to the fact that ideal corresponding to \(\varphi _f\) commutes with \(\omega _0\). Since this ideal is exactly equal to \(\mathcal {O}_0 \langle {\gamma ,f}\rangle \), this situation is prevented from happening.

Regarding complexity, we have \(\ell _1^{h-1} < p/(f 2^{e/2} \prod _i \ell _i)\) and since we have \(f = O(2^{e/2})\), the loop is repeated at most O(c) times. The computations over the quaternions are in \(O(\textsf{poly}(\log (p))\). Then, since we have the explicit isomorphism \(\rho _0\), we can compute \(\psi \) and evaluate \(\rho _0(\gamma )\) over the \(2^e\)-torsion in \(O(\textsf{poly}(\log (p))\) (remember that the \(2^e\)-torsion is defined over \(\mathbb F_{p^2}\) and \(2^e < p\)). Then, the computation of each \(\varphi _i\) is in \(O(\textsf{poly}(\log (p))\) and computing \(s_i\) and checking the trace has \(O(\textsf{poly}(\log (p))\) complexity with the CheckTrace algorithm introduced in [Ler22a]. Computing the norm can be done very similarly with the same complexity. This proves the result.    \(\square \)

5.4 Offline Phase

The remaining operations required to be done in the precomputation are exactly the same as in SCALLOP. First, we need to generate the relation lattice associated to the ideal basis \((\mathfrak {l}_i)_{1 \le i \le n}\). Second, we need to find a reduced basis of this lattice. These operations can be done exactly as explained in [DFFK+23]. The lattice of relations is generated by solving some discrete logarithms in the class group. Then, the reduced basis is found using standard lattice reduction techniques.

The only real difference between SCALLOP and our new construction is the complexity of those operations. In particular, with our choice of quadratic order, the generation of the lattice of relations takes polynomial time. Indeed, the choice of f ensures that the class group has order \(f-\genfrac(){}{}{-d}{f}\) with a polynomial smoothness bound. This means that the Pohlig-Hellman method succeeds in solving discrete logarithm in polynomial time and so the full lattice of relations can be generated in polynomial time (whereas it has subexponential complexity in general). Unfortunately, the complexity of the basis reductions remains superpolynomial, which means that the overall complexity of the precomputation is still superpolynomial. However, as explained in [DFFK+23], for modest parameter sizes, the dimension of the relation lattice can be taken quite small and so a nearly-optimal basis can be found efficiently in practice.

5.5 Online Phase

We now describe precisely an algorithm GroupAction to perform the group action for SCALLOP-HD given an ideal \(\mathfrak {a}= \prod _{1 \le i \le n} \mathfrak {l}_i^{e_i}\) where \(\mathfrak {l}_i\) is an ideal of norm \(\ell _i\). In GroupAction below, we restrict to the case \(\mathfrak {a}= \prod _i \mathfrak {l}_i\) to simplify the exposition as the generic algorithm simply consists in several executions of the sub-algorithm for \(\prod _i \mathfrak {l}_i\).

Algorithm 3
figure e

. \(\textsf {GroupAction}((E,\iota _E),\mathfrak {a})\)

Full size image

Proposition 16

Algorithm 3 GroupAction is correct and runs in

$$\tilde{O}\left( \textsf{poly}\left( \log (p) \log (f) n \right) \sqrt{\max _{1\le i \le n} \ell _i} \right) .$$

Proof

Let us start by proving correctness. Since \(\omega ,\beta \in \mathfrak {O}\) we have that the endomorphisms \(\omega _E,\iota _E(\beta )\) commutes and since we have \(2^e= n(\omega ) + n(\beta )\), by Lemma 4, the \(2^e\)-isogeny \(F_E:E^2 \rightarrow E^2\) is correctly computed from its kernel.

Then, we have that \(F(0,R) = (\star ,\omega _E(R))\) for any point R. Thus, we do have \(U_i = \omega _E(P_i),V_i = \omega _E(Q_i)\) for each \(1 \le i \le n\). The kernel of \(\omega _E - \lambda _i\) is equal to \((\hat{\omega }_E - \lambda _i) (E[\ell _i])\) and since \(\hat{\omega }_E = [\text {tr}(\omega )] - \omega _E\), the point \(R_i\) computed is a generator of \(\ker (\omega _E - \lambda _i) = \ker \varphi _{\mathfrak {l}_i} = \ker \varphi _\mathfrak {a}\cap E[\ell _i]\). Thus, the computation of \(\varphi _\mathfrak {a}\) is correct, and the computation of the \( 2 \textsf{dim}\)-representation of \(\mathfrak {a}\star (E,\iota _E)\) is correct by the formulas given in Sect. 4.3. The last step is merely changing the evaluation to the deterministic basis using linear algebra.

Regarding the complexity, the \(2^e\)-isogeny \(F_E\) can be computed evaluated in \(O\left( \textsf{poly}\left( \log (p) e \right) \right) = O\left( \textsf{poly}\left( \log (p) \log (f) \right) \right) \). Then, since the points of \(E[\ell _i]\) are defined over \(\mathbb F_{p^2}\), the cost to compute the bases \(P_i,Q_i\) and to compute \(U_i,V_i\) through evaluation of F is \(O\left( \textsf{poly}\left( \log (p) \log (f) n \right) \right) \).

Finally, using the \(\sqrt{\acute{\text{ e }}\text{ lu }}\) formulas introduced in [BDFLS20], it is possible to compute the isogeny \(\varphi _\mathfrak {a}\) of norm \(\prod _{1 \le i \le n}\ell _i\) in \(\tilde{O}\left( \textsf{poly}\left( \log (p) n \right) \sqrt{\max _{1\le i \le n} \ell _i} \right) \). This proves the result.    \(\square \)

5.6 Implementation Results

In this section, we report on our preliminary proof-of-concept implementation of SCALLOP-HD in SageMath [The23], which can be found at:

https://github.com/isogeny-scallophd/scallophd

Order and Relation Lattice. We computed suitable choices of \(\mathfrak {O}\) and reduced bases of its associated lattice of relations, for sizes of \(D_\mathfrak {O}\) up to 4096 bits, which is twice the size of the largest provided SCALLOP instantiation. The lattice of relations can easily be found for even larger sizes; however, increasing sizes of \(D_\mathfrak {O}\) and therefore \(h(\mathfrak {O})\) warrant the use of growing lattice dimensions, which (due to the superpolynomial asymptotic growth in cost) eventually renders either the lattice-reduction step or the online phase prohibitively costly.

In all parameter sets, we use fundamental discriminant \(D_K=-11\), which is congruent to 5 modulo 8 as required. The conductor f was chosen as a random prime of the form \(f = 2^km + 1\) with m a small odd integer, such that f is split in \(\mathbb Q(\sqrt{D_K})\). Hence the class group is cyclic of order \(2^km\), which makes the required discrete logarithms in the class group particularly easy to compute.Footnote 2 As a generating set of the class group, we consider the first n prime integers \(\ell _i\) which split in \(\mathfrak {O}\) and, for each of them, let \(\mathfrak {l}_i=(\ell _i,f\sqrt{D_\mathfrak {O}}-m_i)\) where \(m_i\) is the smallest non-negative integer such that \(\mathfrak {l}_i\) is a prime ideal of norm \(\ell _i\). The reduced relation lattices for these parameter sets can be computed in no more than a few core-hours per parameter set, almost all of which is spent on running the BKZ lattice-reduction algorithm.

Starting Curve. We then computed starting curves for the chosen parameters using a KLPT-based approach using the implementation of [EPSV23]. This is practically easier than using SetUpCurveHD (Algorithm 2) for lack of sufficiently general genus-2 isogeny libraries, but presumably slower: Computing the starting curve took about 2 single-core hours for a 512-bit discriminant with \(n=74\) as in CSIDH-512, and about 85 single-core hours for a 1024-bit discriminant with \(n=100\). (We stress again that these timings are for a naïve implementation of the setup phase and can be improved a lot.)

Computing the Action. Finally, our implementation of the SCALLOP-HD group action itself relies heavily on the SageMath implementation of dimension-2 isogenies provided by [DMPR23]. Although it is hard to compare our SageMath implementation to the C++ implementation of SCALLOP, our preliminary results seem to indicate that SCALLOP-HD can at least compete: For the 512-bit parameter set, a single group-action evaluation averages around 88 s on an Intel Alder Lake CPU core clocked at 2.1 GHz, compared to around 42 s for SCALLOP on the same hardware configuration. For the 1024-bit parameter set, a single group-action evaluation averages around 19 min, compared to around 15 min for SCALLOP. However, profiling data reveals that the 2-dimensional isogenies used in SCALLOP-HD are in fact relatively cheap, accounting for only about a third of the total computational effort: Most of the time is spent on “traditional” elliptic-curve arithmetic, which can therefore be expected to benefit from very significant speedups using well-known standard optimization techniques and implementation tricks for genus-1 arithmetic which have not been incorporated into SageMath. We are thus optimistic that a more optimized SCALLOP-HD implementation will be able to outperform SCALLOP by a comfortable margin as the security level grows.

6 Some Remarks on Security

The security of SCALLOP-HD is identical to that of SCALLOP because the group action has the same exact structure. In this section, we take the opportunity to discuss the impact of recent developments from the papers [CII+23, CV23] on the security of SCALLOP and SCALLOP-HD.

In [DFFK+23], one proposed method to attack SCALLOP is to compute the ideal corresponding to the isogeny \(\varphi _f\) of degree f connecting the \(\mathfrak {O}_0\)-oriented curve \(E_0\) with the \(\mathfrak {O}\)-oriented curve E. In [CII+23], a polynomial-time quantum algorithm is introduced to perform that computation when there is an efficient way to evaluate this f-isogeny on points of powersmooth order. Since the endomorphism \(\omega _E\) can be written as \(d + \varphi _f \circ \omega _0 \circ \hat{\varphi }_f\) for some integer d and \(\omega _0 \in {{\,\textrm{End}\,}}(E_0)\), the security of SCALLOP then reduces to the following question:

Can we use the effective orientation \(\omega _E\) revealed in SCALLOP(-HD) to evaluate \(\varphi _f\)?

As far as we know, the answer to this question is no (at least not in polynomial time). In fact, the problem of evaluating the descending isogeny \(\varphi _f\) was already discussed in [DFFK+23, Sect. 7] even though the algorithm from [CII+23] didn’t exist at the time. The discussion presented in [DFFK+23, Sect. 7] is still relevant and justifies why evaluating \(\varphi _f\) from \(\omega _E\) appears hard. One possible way to reduce the search space introduced in [DFFK+23, Sect. 7] would be to use non-trivial self-pairings (i.e. pairing such that e(PP) is not 1). However, there are no known self-pairings in the context of SCALLOP(-HD) and some negative results regarding the existence of these objects were even recently shown in [CHM+23].

Recently, [CV23] introduced a generalization of the “lollipop method" to recover an isogeny from a partial torsion information. More concretely, it targets the following setting. Let \(\varphi : E_0 \rightarrow E\) be an isogeny of degree f and PQ be a basis of \(E_0[N]\) for some big enough integer N. The goal is to recover \(\varphi \) from the knowledge of TS where TS is a basis of E[N] equal to \(X \cdot \varphi (P,Q)\) for some secret matrix X contained in some subset of \(GL_2(\mathbb {Z}/N \mathbb {Z})\). Typically, [CV23] targets the case where X is diagonal, but they introduce a generic framework that can handle a broader variety of families of Xs. The fact that X is unknown is the main obstacle to apply the usual isogeny recovery attacks or the attack from [CII+23]. The paper [CV23] shows how to overcome this obstacle when the parameters dNp allow the existence (and efficient computation) of an endomorphism \(\rho \in {{\,\textrm{End}\,}}(E_0)\) satisfying various constraints.

Below, we try to apply this attack to recover the isogeny \(\varphi _f\) using the knowledge of the orientation. In particular, we will have a look at the case where X is diagonal. Indeed, when taking N as a product of split primes in \(\mathfrak {O}_0\), PQ to be two generators of the eigenspaces of \(\omega _0\) in \(E_0[N]\) and TS generators of the eigenspaces of \(\omega _E \in E[N]\), we are exactly in the desired setting where the unknown matrix is diagonal (since eigenspaces of \(\omega _0\) are mapped to eigenspaces of \(\omega _E\) by \(\varphi _f\)).

When N is powersmooth, the points PQTS can be computed in polynomial time by evaluating \(\omega _0\) and \(\omega _E\), and solving some discrete logarithms. The method introduced in [CD23] works by computing a non-trivial endomorphism \(\rho = \kappa \circ \sigma \) such that \([\varphi _f]_* \sigma \) can be computed efficiently, the matrix of the action of \(\rho \) in the basis PQ commutes with the matrix X and \(\deg \kappa \le N^2 / f^2\). When those conditions are satisfied, it can be shown that the image of the isogeny \( \psi = [\sigma ]_* \varphi _f \circ \kappa \circ \hat{\varphi }_f\) on TS can be computed exactly, allowing for its efficient computation with higher dimensional isogenies. In a number of cases, this is enough to recover \(\varphi _f\) directly, but not always. In the setting of SCALLOP-HD, this is not necessarily new information if the endomorphism \(\hat{\psi }\circ [\varphi _f]_* \sigma \) belongs to \(\iota _E(\mathfrak {O})\). On the other hand, when it does not, then we obtain a full quaternion suborder of \({{\,\textrm{End}\,}}(E)\) in that matter, and that might be enough to evaluate \(\varphi _f\) with an adaptation of [Ler22a, Algorithm 5] and then, we can apply the attack from [CII+23].

Thus, the question becomes: can we find such an endomorphism \(\rho \) satisfying all the previous constraints? While we do not know how to prove formally that the answer is always no, we provide examples where we can prove that finding a suitable \(\rho \) is impossible.

As far as we know, there are essentially three types of isogenies \(\sigma \) for which we have an efficient way to compute the push-forward \([\varphi _f]_* \sigma \):

  1. 1.

    The identity.

  2. 2.

    The Frobenius.

  3. 3.

    Horizontal isogenies (used in the group action).

Let us consider the case where \(\sigma \) is the identity. We want to find \(\rho \in {{\,\textrm{End}\,}}(E_0)\) that acts as a diagonal matrix on the subgroups generated by P and Q. As we explained before, we have an attack if we can find \(\rho \not \in \mathbb {Z}[\omega _0]\) (otherwise we don’t learn anything new).

Let \(\mathcal {O}_0\) be a quaternion maximal order isomorphic to \({{\,\textrm{End}\,}}(E_0)\) and IJ, the two left \(\mathcal {O}_0\)-ideals of norm N corresponding to the subgroups generated by P and Q under the Deuring correspondence. Then, \(\rho \) will act as a diagonal matrix on the two subgroups if and only if it is contained inside the quaternion order \(\mathcal {O}= (\mathbb {Z}+ I) \cap (\mathbb {Z}+J)\) which is an Eichler order of level \(N^2\). This is a lattice of volume equal to \(C p^2 N^4\) for some small constant C. And this means the four successive minimas \(\lambda _1,\lambda _2,\lambda _3,\lambda _4\) satisfy

$$\begin{aligned} p^2\,N^4 \le \lambda _1\lambda _2\lambda _3\lambda _4 \le 16\,C p^2\,N^4 \end{aligned}$$
(3)

However, since \(\mathbb {Z}[\omega _0] \) is contained inside \(\mathcal {O}\) by design, and \(\mathfrak {O}_0\) is a quadratic order of very small discriminant, we know that the two first successive minimas are 1 and \(n(\omega _0)\) (assuming that \(\omega _0\) is the element of smallest norm in \(\mathbb {Z}[\omega _0] \smallsetminus \mathbb {Z}\), which we can do without any loss of generality). Moreover, since \(\omega _0 \in \mathcal {O}\), we can always multiply any element by \(\omega _0\), this means that we must have \(\lambda _4 \le n(\omega _0) \lambda _3\), and so we can deduce that \(\lambda _3 \ge p N^2\). This means that the smallest element \(\rho \) we can expect to find in \(\mathcal {O}\smallsetminus \mathbb {Z}[i]\) has norm greater than \(pN^2\). But, to make the attack work, we need that \(N^2 > f^2 \deg \rho \). These two conditions are clearly not compatible, and this means that there is no hope to find a suitable \(\rho \) to make the attack work in this setting.

Let us now consider the case where \(\sigma \) is the Frobenius isogeny. When \(\mathcal {O}_0\) contains j (which we can assume since the class number of \(\mathfrak {O}_0\) is 1 and it has been shown in [CPV20] that the only \(\mathfrak {O}_0\)-oriented is \(\mathbb F_p\)-rational when p is big enough), finding \(\rho \) when \(\sigma \) is the Frobenius implies that \(\rho \) is contained inside \(\mathcal {O}\cap \mathcal {O}_0 j \). It can be verified that the successive minimum of this lattice are small linear combinations of \(p,p \omega _0,N j, N\omega _0 j\) and thus the solutions outside of \(\mathbb {Z}[i]\) have norm bigger than \(N^2\). Thus, it is once again not possible to find \(\rho \) with \(N^2 > f^2 \deg \rho \). A similar reasoning can be applied to prove that a suitable endomorphism \(\rho \) cannot be found when \(\sigma \) is an \(\mathfrak {O}_0\)-horizontal isogeny.

Thus, we have proven that the lollipop method cannot be applied to the setting of SCALLOP-HD when considering the torsion information revealed by the orientation on the points whose order is a product of split primes.

The same reasoning cannot be applied if we consider inert primes. Indeed, in that case, the matrix will probably not be diagonal. However, this also means that we don’t really know what kind of matrix is required for the endomorphism \(\rho \). Thus, it seems hard to use the lollipop method in that case.

7 Conclusion and Future Work

SCALLOP-HD represents the progression of a series of efforts to enhance the scalability of EGAs based on isogenies. Beginning with CSI-FiSh, which established the foundational strategy and gave a notable example, there was a significant challenge in computing larger class groups. SCALLOP then built upon the work of CSI-FiSh by overcoming this limitation, but still needed superpolynomial time for generating the lattice of relations. SCALLOP-HD takes this advancement a step further, making precomputation polynomial-time except for the lattice reduction phase. Indeed, this renders SCALLOP-HD the first member in the CSI-FiSh family whose practical bottleneck equals the asymptotic bottleneck of the construction, indicating that a fundamentally different approach may be required to achieve further progress.

SCALLOP-HD is heavily based on the SCALLOP group action [DFFK+23]. The main difference stems from the way the orientation is computed. In SCALLOP, an effective orientation is obtained from an endomorphism of smooth degree, whereas in SCALLOP-HD, an effective orientation is obtained from a \( 2 \textsf{dim}\)-representation of an arbitrary degree endomorphism. The relaxation of the constraint on the degree of the endomorphism is the main advantage of SCALLOP-HD as it improves scalability and simplifies the group action computation at the cost of requiring the computation of a \(2^e\)-isogeny between abelian variety of dimension 2.

The \( 2 \textsf{dim}\)-representation technique we developed in order to represent set elements in SCALLOP-HD is interesting in its own right. It has already seen applications in [Ler23] and Remark 14, bringing down the dimension needed to compute the isogenies between abelian varieties from 4 or 8 to 2.

The main remaining problem is to engineer an efficient and side-channel resistant implementation of SCALLOP-HD. This is a non-trivial task due to the need for isogeny computation in higher dimension. The state of the art on this matter was recently improved by [DMPR23], which is a great leap in the right direction, but algorithms for dimension-2 isogenies still haven’t reached the level of maturity required for serious cryptographic implementation work. In the end, we are optimistic that the efficiency of SCALLOP-HD’s group-action computation will outperform that of SCALLOP.