University of Birmingham Identification protocols and signature schemes based on supersingular isogeny problems

. We present signature schemes whose security relies on computational assumptions relating to isogeny graphs of supersingular elliptic curves. We give two schemes, both of them based on interactive identiﬁcation protocols. The ﬁrst identiﬁcation protocol is due to De Feo, Jao and Plût. The second one, and the main contribution of the paper, makes novel use of an algorithm of Kohel, Lauter, Petit and Tignol for the quaternion version of the (cid:2) -isogeny problem, for which we provide a more complete description and analysis, and is based on a more standard and potentially stronger computational problem. Both identiﬁcation protocols lead to signatures that are existentially unforgeable under chosen message attacks in the random oracle model using the well-known Fiat-Shamir transform, and in the quantum random oracle model using another transform due to Unruh. A version of the ﬁrst signature scheme was independently published by Yoo, Azarderakhsh, Jalali, Jao and Soukharev. This is the full version of a paper published at ASIACRYPT 2017.


Introduction
A recent research area is cryptosystems whose security is based on the difficulty of finding a path in the isogeny graph of supersingular elliptic curves [10,12,19,25,27]. Unlike other elliptic curve cryptosystems, the only known quantum algorithm for these problems, due to Biasse, Jao and Sankar [8], has exponential complexity. Hence, addi-tional motivation for the study of these cryptosystems is that they are possibly suitable for post-quantum cryptography.
Some of the first constructions in supersingular isogeny cryptography include the collision-resistant hash function of Charles, Goren and Lauter [10], the key exchange protocol of Jao and De Feo [25], and the public key encryption scheme and interactive identification protocol of De Feo, Jao and Plût [19]. Focusing on signatures, Jao-Soukharev [27] presented an undeniable signature, and Xi, Tian and Wang [48] presented a designated verifier signature.
In this paper we present two public key signature schemes whose security relies on computational problems related to finding a path in the isogeny graph of supersingular elliptic curves.
The first scheme is obtained relatively simply from the De Feo-Jao-Plût [19] interactive identification protocol by using the Fiat-Shamir transform to turn it into a non-interactive signature scheme. We also use a variant of the Fiat-Shamir transform due to Unruh to obtain a post-quantum signature scheme. Essentially the same signature scheme was independently published by Yoo, Azarderakhsh, Jalali, Jao and Soukharev [49], but our version has improved signature size. This scheme has the advantage of being simple to describe, at least to a reader who is familiar with the previous work in the subject, and easy to implement. On the other hand, it inherits the disadvantages of [19], in particular it relies on a non-standard isogeny problem using small isogeny degrees, reveals auxiliary points, and uses special primes.
The fastest classical attack on the first scheme has heuristic running time ofÕ( p 1/4 ) bit operations, and the fastest quantum attack (see Section 5.1 of [19]) has running time ofÕ( p 1/6 ). Galbraith, Petit, Shani and Ti [22] and Petit [36] showed that revealing auxiliary points may be dangerous in certain contexts. It is therefore highly advisable to build cryptographic schemes based on the most general, standard and potentially hardest isogeny problems.
Our second scheme uses completely different ideas and relies on the difficulty of a more standard computational problem, namely the problem of computing the endomorphism ring of a supersingular elliptic curve (equivalently, computing an isogeny between two given elliptic curves). This computational problem has heuristic classical complexity ofÕ( p 1/2 ) bit operations, and quantum complexityÕ( p 1/4 ). In particular, the second scheme does not involve sending auxiliary points and so avoids the attacks of [22,36]. The identification scheme is based on a sigma protocol that is very similar to the proof of graph isomorphism. One obtains a signature scheme by applying the Fiat-Shamir transform or Unruh's transform. We now briefly sketch the main ideas behind our second scheme. The public key is a pair of elliptic curves (E 0 , E 1 ) and the private key is an isogeny ϕ : E 0 → E 1 . To interactively prove knowledge of ϕ one chooses a random isogeny ψ : E 1 → E 2 and sends E 2 to the verifier. The verifier sends a bit b. If b = 0 the prover reveals ψ. If b = 1 the prover reveals an isogeny η : E 0 → E 2 . In either case, the verifier checks that the response is correct. The interaction is repeated a number of times until the verifier is convinced that the prover knows an isogeny from E 0 to E 1 . However, the subtlety is that we cannot just set η = ψ • ϕ, as then E 1 would appear on the path in the graph from E 0 to E 2 and so we would have leaked the private key. The crucial idea is to use the algorithm of Kohel-Lauter-Petit-Tignol [33] to produce a "pseudo-canonical" isogeny η : E 0 → E 2 that is independent of ϕ. The algorithm of Kohel-Lauter-Petit-Tignol is based on the theory of quaternion algebras.
The paper is organized as follows. In Section 2 we give preliminaries on isogeny problems, random walks in isogeny graphs, security definitions and the Fiat-Shamir transform. Sections 3 and 4 describe our two signature schemes and Section 5 concludes the paper. In a first reading to get the intuition of our schemes without all implementation details, one can safely skip parts of the paper, namely Sections 2.3, 2.4, 2.5, 2.7, 2.8, 4.3 and 4.4.

Quaternion Algebras
We summarize the required background on quaternion algebras. For a more detailed exposition of the theory, see [42,43,45].
The quaternion algebras used in this paper are quaternion algebras over Q ramified at a prime p and at infinity, where moreover p = 3 mod 4. Such an algebra can be represented as B p,∞ := Q i, j , where i 2 = −1, j 2 = −p, k = ij = −ji. The canonical involution on B p,∞ is given by from which the reduced trace and norm take the form Trd(α) = α +ᾱ = 2x 0 and Nrd(α) = αᾱ = x 2 0 + x 2 1 + px 2 2 + px 2 3 .
An ideal of B p,∞ is a Z-lattice of rank 4. Ideals can be multiplied in the usual way. The norm of an ideal I is the gcd of the reduced norms of its elements. An order of B p,∞ is an ideal that is also a ring. A maximal order is an order that is not strictly contained in any other order. Elements of an order are integers, namely their reduced norm and trace are in Z. Orders and ideals in B p,∞ may be represented by a Z-basis, namely 4 elements ω 0 , ω 1 , ω 2 , ω 3 ∈ B p,∞ . For orders we can always take ω 0 = 1. The quaternion algebra B p,∞ has a maximal order O 0 = 1, i, 1+k 2 , i+j 2 that will be of particular interest in this paper.
For any ideal I , the left order of I is the set O = {h ∈ B p,∞ |h I ⊂ I }. We also say that I is a left ideal of O. Right orders and ideals are defined in a similar way. For any order O, any left ideal of O can be written as I = On + Oα where n is the norm of the ideal, and α ∈ O is such that n| Nrd(α). For any order O and any prime = p, there are + 1 left ideals of O with norm .
We define equivalence classes of ideals and orders as follows. Two orders O 1 and O 2 are equivalent if and only if there exists q ∈ B * p,∞ such that O 1 q = qO 2 . For any order O and any I 1 , I 2 left ideals of O 0 , I 1 and I 2 are equivalent if and only there exists q ∈ B * p,∞ such that I 1 q = I 2 . These equivalence classes are compatible in the sense that the left ideals I 1 and I 2 are equivalent if and only if their right orders are equivalent. The number of equivalence classes is independent of O and is called the class number.

Hard Problem Candidates Related to Isogenies
We summarize the required background on elliptic curves. For a more detailed exposition of the theory, see [39].
Let E, E be two elliptic curves over a finite field F q . An isogeny ϕ : E → E is a non-constant morphism from E to E that maps the neutral element to the neutral element. The degree of an isogeny ϕ is the degree of ϕ as a morphism. An isogeny of degree is called an -isogeny. If ϕ is separable, then deg ϕ = # ker ϕ. In particular, the multiplication by m map, denoted by [m], is an isogeny of degree m 2 and is separable when char(F q ) m. If there is a separable isogeny between two curves, we say that they are isogenous. Tate's theorem is that two curves E, E over F q are isogenous over F q if and only if #E(F q ) = #E (F q ).
We say that an integer N is B-powersmooth if N = i e i i where the i are distinct primes and e i i ≤ B. A separable isogeny can be identified with its kernel [47]. Given a subgroup G of E, we can use Vélu's formulae [44] to explicitly obtain an isogeny ϕ : E → E with kernel G and such that E ∼ = E/G. These formulas involve sums over points in G, so using them is efficient as long as #G is small. Kohel [32] and Dewaghe [16] have (independently) given formulae for the Vélu isogeny in terms of the coefficients of the polynomial defining the kernel, rather than in terms of the points in the kernel. Given a prime = char(F q ), the torsion group E[ ] contains exactly + 1 cyclic subgroups of order , each one corresponding to a different isogeny.
A composition of n separable isogenies of degrees i for 1 ≤ i ≤ n gives an isogeny of degree N = i i with kernel a group G of order N . Conversely any isogeny whose kernel is a group of smooth order can be decomposed as a sequence of isogenies of small degree, hence can be computed efficiently. For any permutation σ on {1, . . . , n}, by considering appropriate subgroups of G, one can write the isogeny as a composition of isogenies of degree σ (i) . Hence, there is no loss of generality in the protocols in our paper by considering chains of isogenies of increasing degree.
For each isogeny ϕ : E → E , there is a unique isogenyφ : E → E, which is called the dual isogeny of ϕ, and which satisfies ϕφ =φϕ = [deg ϕ]. An isomorphism is an isogeny of degree 1. Isomorphism classes of elliptic curves over F q can be labeled with their j-invariant [39,III.1.4(b)]. An isogeny ϕ : E → E such that E = E is called an endomorphism. The set of endomorphisms of an elliptic curve, denoted by End(E), has a ring structure with the operations point-wise addition and function composition.
Elliptic curves can be classified according to their endomorphism ring. Over the algebraic closure of the field, End(E) is either an order in a quadratic imaginary field or a maximal order in a quaternion algebra. In the first case, we say that the curve is ordinary, whereas in the second case we say that the curve is supersingular. Indeed, the endomorphism ring of a supersingular curve over a field of characteristic p is a maximal order O in the quaternion algebra B p,∞ ramified at p and ∞.
In the case of supersingular elliptic curves, there is always a curve in the isomorphism class defined over F p 2 , and the j-invariant of the class is also an element of F p 2 . A theorem by Deuring [15] gives an equivalence of categories between the j-invariants of supersingular elliptic curves over F p 2 up to Galois conjugacy in F p 2 , and the maximal orders in the quaternion algebra B p,∞ up to the equivalence relation given by O ∼ O if and only if O = α −1 O α for some α ∈ B * p,∞ . Specifically, the equivalence of categories associates to every j-invariant a maximal order that is isomorphic to the endomorphism ring of any curve with that j-invariant. Furthermore, if E 0 is an elliptic curve with End(E 0 ) = O 0 , there is a one-to-one correspondence (which we call the Deuring correspondence) between isogenies ϕ : E 0 → E and left O 0 -ideals I . More details on the Deuring correspondence can be found in Chapter 42 of [45]. The key concept is that the ideal I is a kernel ideal for the isogeny ϕ, meaning that the group E 0 [I ] := {P ∈ E 0 (F p ) : α(P) = 0, ∀α ∈ I } is equal to ker(ϕ). In Section 4 we will heavily use kernel ideals. In particular we will use the following result: Let ϕ : E 0 → E r be an isogeny of degree 1≤ j≤r e j j that can be factored as a sequence of isogenies φ i : We now present some hard problem candidates related to supersingular elliptic curves, and discuss the related algebraic problems in light of the Deuring correspondence. Problem 1. Let p, be distinct prime numbers. Let E, E be two supersingular elliptic curves over F p 2 with #E(F p 2 ) = #E (F p 2 ) = ( p + 1) 2 , chosen uniformly at random. Find k ∈ N and an isogeny of degree k from E to E .
The fastest classical algorithm known for this problem uses a meet-in-the-middle strategy, and has heuristic running time ofÕ( p 1/2 ) bit operations [21,25]. Problem 2. Let p, be distinct prime numbers. Let E be a supersingular elliptic curve over F p 2 , chosen uniformly at random. Find k 1 , k 2 ∈ N, a supersingular elliptic curve E over F p 2 , and two distinct isogenies of degrees k 1 and k 2 , respectively, from E to E .
The hardness assumption of the second problem has been used in [10] to prove collision-resistance of a proposed hash function. Variants of the first problem, in which some extra information is provided, were used in [19] to build an identification scheme, a key exchange protocol and a public-key encryption scheme.
More precisely, the identification protocol of De Feo-Jao-Plût [19] relies on Problems 3 and 4 below (which De Feo, Jao and Plût call the Computational Supersingular Isogeny (CSSI) and Decisional Supersingular Product (DSSP) problems). In order to state them we need to introduce some notation. Let p be a prime of the form e 1 1 e 2 2 f ± 1, and let E be a supersingular elliptic curve over F p 2 . Let {R 1 , S 1 } and {R 2 , S 2 } be bases for E[ e 1 1 ] and E[ e 2 2 ], respectively. The fastest known algorithms for this problem use a meet-in-the-middle argument. The classical [21,25] and quantum [19,25] algorithms have heuristic running time respectively ofÕ( 1 ) bit operations, which is respectivelyÕ( p 1/4 ) andÕ( p 1/6 ) in the context of De Feo-Jao-Plût [19]. Problem 4. (Decisional Supersingular Product) Let E, E be supersingular elliptic curves over F p 2 such that there exists an isogeny φ : E → E of degree e 1 1 . Fix generators R 2 , S 2 ∈ E[ e 2 2 ] and suppose φ(R 2 ) and φ(S 2 ) are given. Consider the two distributions of pairs (E 2 , E 2 ) as follows: 2 2 ] of order e 2 2 and E 2 ∼ = E/G and - where E 2 is chosen at random among the curves having the same cardinality as E, and φ : E 2 → E 2 is a random e 1 1 -isogeny. The problem is, given (E, E ) and the auxiliary points (R 2 , S 2 , φ(R 2 ), φ(S 2 )), plus a pair (E 2 , E 2 ), to determine from which distribution the pair is sampled.
We stress that Problems 3 and 4 are potentially easier than Problems 1 and 2 because special primes are used and extra points are revealed. Furthermore, it is shown in Section 4 of [22] that if End(E) is known and one can find any isogeny from E to E then one can compute the specific isogeny of degree e 1 1 . The following problem, on the other hand, offers better foundations for cryptography based on supersingular isogeny problems.

Problem 5.
Let p be a prime number. Let E be a supersingular elliptic curve over F p 2 , chosen uniformly at random. Determine 1 the endomorphism ring of E.
Note that it is essential that the curve is chosen randomly in this problem, as for special curves the endomorphism ring is easy to compute. Essentially, Problem 5 is the same as explicitly computing the forward direction of Deuring's correspondence. This problem was studied in [32], in which an algorithm to solve it was obtained, but with expected running timeÕ( p). It was later improved by Galbraith toÕ( p 1 2 ), under heuristic assumptions [21]. Interestingly, the best quantum algorithm for this problem, due to Biasse, Jao and Sankar [8], runs in timeÕ( p 1 4 ), only providing a quadratic speedup over classical algorithms. This has largely motivated the use of supersingular isogeny problems in cryptography.

Problem 6.
Let p be a prime number. Let E, E be supersingular elliptic curves over F p 2 , chosen uniformly at random. 2 Find 3 an isogeny E → E .
Heuristically, if we can solve Problem 1 or Problem 6, then we can solve Problem 5.
To compute an endomorphism of E, we take two random walks φ 1 : E → E 1 and 1 There are several possible meanings of "determine the endomorphism ring", but we assume the output should be a Z-module basis in the quaternion algebra B p,∞ . 2 The special case E = E occurs with negligible probability so it can be ignored. 3 The isogeny should be represented in some compact way. φ 2 : E → E 2 , and solve Problem 6 on the pair E 1 , E 2 , obtaining an isogeny ψ : E 1 → E 2 . Then the compositionφ 2 ψφ 1 is an endomorphism of E. Repeating the process, it is plausible to find four endomorphisms that are linearly independent, thus generating a subring of End(E). Repeating the process further, we expect to obtain a Z-basis of the full endomorphism ring after having constructed at most O(log p + log D) such endomorphisms, where D is a bound on the degree of the isogeny ψ. Indeed the subring index N is bounded by the product of the degrees of its generators which is ( pD) O(1) , any randomly chosen new element will be in that subring with a probability 1/N , and every new element not in the subring will decrease the index by at least a factor of 2.
For the converse, suppose that we can compute the endomorphism rings of both E and E , represented as Z-modules in B p,∞ . The strategy is to compute a lattice I in B p,∞ of appropriate norm that is a left ideal of End(E) and a right ideal of End(E ), and to translate it back to the geometric setting to obtain an isogeny. This approach motivated the quaternion -isogeny algorithm of Kohel-Lauter-Petit-Tignol [17,33,37], which solves the following problem: The algorithm can be adapted to produce ideals of B-powersmooth norm for B ≈ 7 2 log p and using O(log p) different primes, instead of ideals of norm a power of . We will use that version in our second signature scheme.
For completeness we mention that ordinary curve versions of Problems 1 and 5 are not known to be equivalent, and in fact there is a subexponential algorithm for computing the endomorphism ring of ordinary curves [9], whereas the best classical algorithm known for computing isogenies is still exponential. There is, however, a subexponential quantum algorithm for computing an isogeny between ordinary curves [11], which is why the main interest in cryptography is the supersingular case.

Random Walks in Isogeny Graphs
Let p ≥ 5 be a prime number. There are N p := p 12 + p supersingular j-invariants in characteristic p, with p = 0, 1, 1, 2 when p = 1, 5, 7, 11 mod 12 respectively. For any prime = p, one can construct a so-called isogeny graph, where each vertex is associated to a supersingular j-invariant, and an edge between two vertices is associated to a degree isogeny between the corresponding vertices.
Isogeny graphs are regular 4 with regularity degree + 1; they are undirected since to any isogeny from j 1 to j 2 corresponds a dual isogeny from j 2 to j 1 . Isogeny graphs are also very good expander graphs [24]; in fact they are optimal expander graphs in the following sense. Definition 1. (Ramanujan graph) Let G be a k-regular graph, and let k, λ 2 , · · · , λ r be the eigenvalues of the adjacency matrix sorted by decreasing order of the absolute value. Then G is a Ramanujan graph if This is optimal by the Alon-Boppana bound: given a family {G N } of k-regular graphs as above, and denoting by λ 2,N the corresponding second eigenvalue of each graph G N , we have lim inf N →∞ λ 2,N ≥ 2 √ k − 1. The Ramanujan property of isogeny graphs follows from the Weil conjectures proved by Deligne [14,38].
Let p and be as above, and let j be a supersingular invariant in characteristic p. We define a random step of degree from j as the process of randomly and uniformly choosing a neighbour of j in the -isogeny graph, and returning that vertex. For a composite degree n = i i , we define a random walk of degree n from j 0 as a sequence of j-invariants j i such that j i is a random step of degree i from j i−1 . We do not require the primes i to be distinct.
The output of random walks in expander graphs converges quickly to a uniform distribution. In our signature scheme we will be using random walks of B-powersmooth degree n, namely n = i e i i , with all prime powers e i i smaller than some bound B, with B as small as possible. To analyse the output distribution of these walks we will use the following generalization 5 of classical random walk theorems [24].

Proof.
Let v t j be the probability that the outcome of the first t random steps is a given vertex j, and let v t = (v t j ) j be vectors encoding these probabilities. Let v 0 correspond to an initial state of the walk at j 0 (so that v 0 j 0 = 1 and v 0 j = 0 for all j = j 0 ). Let A i be the adjacency matrix of the i -isogeny graph. Its largest eigenvalue is k i . By the Ramanujan property the second largest eigenvalue is smaller than k i in absolute value, so the eigenspace associated to λ 1 = k i is of dimension 1 and generated by the vector u := (N −1 p ) j corresponding to the uniform distribution. Let λ 2i be the second largest eigenvalue of A i in absolute value. 2 since the eigenspace associated to k i is of dimension 1. Iterating on all steps we deduce Random walk theorems are usually stated for a single graph whereas our walks will switch from one graph to another, all with the same vertex set but different edges.
where we have used the Ramanujan property to bound the eigenvalues.
In our security proof we will want the right-hand term to be smaller than ( p 1+ ) −1 for an arbitrary positive constant , and at the same time we will want the powersmooth bound B to be as small as possible. The following lemma shows that taking B ≈ 2(1 + ) log p suffices asymptotically.
There is a function c p = c( p) such that lim p→∞ c p = 2(1 + ), and, for each p, i prime e i :=max{e∈N| e i <c p log p} Proof. Let B be an integer. We have Taking logarithms, using the prime number theorem and replacing the sum by an integral we have which proves the lemma.

Efficient Representations of Isogeny Paths and Other Data
Our schemes require representing/transmitting elliptic curves and isogenies. In this section we first explain how to represent certain mathematical objects appearing in our protocol as bitstrings in a canonical way so that minimal data needs to be sent and stored. Next, we discuss different representations of isogeny paths and their impact on the efficiency of our signature schemes. As these paths will be sent from one party to another, the second party needs an efficient way to verify that the bitstring received corresponds to an isogeny path between the right curves.
Let p be a prime number. Every supersingular j-invariant is defined over F p 2 . A canonical representation of F p 2 -elements is obtained via a canonical choice of degree 2 irreducible polynomial over F p . Canonical representations in any other extension fields are defined in a similar way. Although there are only about p/12 supersingular jinvariants in characteristic p, we are not aware of an efficient method to encode these invariants into log p bits, so we represent supersingular j-invariants with the 2 log p bits it takes to represent an arbitrary F p 2 -element.
Elliptic curves are defined by their j-invariant up to isomorphism. Hence, rather than sending the coefficients of the elliptic curve equation, it suffices to send the jinvariant. For any invariant j there is a canonical elliptic curve equation E j : y 2 = x 3 + 3 j 1728− j x + 2 j 1728− j when j = 0, 1728, y 2 = x 3 + 1 when j = 0, and y 2 = x 3 + x when j = 1728. If one needs a particular group order then one might need to take a twist.
We now turn to representing chains E 0 , E 1 , . . . , E n of isogenies φ i : Here i are always very small primes. A useful feature of our protocols is that isogeny chains can always be chosen such that the isogeny degrees are increasing i ≥ i−1 . First we need to discuss how to represent the sequence of isogeny degrees. If all degrees are equal to a constant (e.g., = 2) then it is only necessary to state the length. If the degrees are different then the most compact representation seems to be N = n i=1 i which might be a global system parameter, or may be sent as part of the protocol. The receiver can recover the sequence of isogeny degrees from N by factoring using trial division and ordering the primes by size. This representation is possible due to our convention the isogeny degrees are increasing and since the degrees are all small. Now we discuss how to represent the curves themselves in the chain of isogenies. We give several methods.
1. There are two naive representations. One is to send all the j-invariants j i = j (E i ) for 0 ≤ i ≤ n. This requires 2(n + 1) log 2 ( p) bits. Note that the verifier is able to check the correctness of the isogeny chain by checking that Φ i ( j i−1 , j i ) = 0 for all 1 ≤ i ≤ n, where Φ i is the i -th modular polynomial. The advantage of this method is that verification is relatively quick (just evaluating a polynomial that can be precomputed and stored). The other naive method is to send the x-coordinate of a kernel point P i ∈ E j i on the canonical curve. Given j i−1 and the kernel point P i−1 one computes the isogeny φ i on E j i−1 whose image is isomorphic to E j i using the Vélu formula and hence deduces j i . Note that the kernel point is not unique and is typically defined over an extension of the field. Both these methods require huge bandwidth.
A refinement of the second method is used in our first signature scheme, where is fixed and one can publish a point that defines the kernel of the entire isogeny chain. Precisely a curve E and points R, S ∈ E[ n ] are fixed. Each integer 0 ≤ α < n defines a subgroup R +[α]S and hence an n isogeny. It suffices to send α, which requires log 2 ( n ) bits. In the case = 2 this is just n bits, which is smaller than all the other suggestions in this section. 2. One can improve upon the naive method in several simple ways. One method is to send every second j-invariant. The Verifier accepts this as a valid path if, for all odd integers i, the greatest common divisor over F p 2 [y] is a non-constant polynomial, which will almost always be (y − j i ).
Another method is to send only some least significant bits (more than log 2 ( i + 1) of them) of the j i instead of the entire value. The verifier can reconstruct the isogeny path by factoring Φ i ( j i−1 , y) over F p 2 (it will always split completely in the supersingular case) and then selecting j i to be the root that has the correct least significant bits (depending on how many bits are used there may occassionally be a non-unique choice of root, but considering the path globally the compressed representation should lead to a unique sequence of j-invariants). 3. An optimal compression method seems to be to define a well-ordering on F p 2 (e.g., lexicographic order on the binary representation of the element). Instead of j i one sends the index k such that when the i + 1 roots of Φ i ( j i−1 , y) are written in order, j i is the k-th root. It is clear that the verifier can reconstruct the value j i and hence can reconstruct the whole chain from this information. The sequence of integers k can be encoded as a single integer in terms of a "base i j=1 ( i + 1)" representation. If the walk is non-backtracking and the primes i are repeated then one can remove the factor (y − j i−2 ) that corresponds to the dual isogeny of the previous step, this can save some bandwidth. We call this method "optimal" since it is hard to imagine doing better than log 2 ( i + 1) bits for each step in general, 6 though we have no proof that one cannot do better. However, note that the verifier now needs to perform polynomial factorisation, which may cause some overhead in a protocol. Note that in the case where all i = 2 and the walk is non-backtracking then this method also requires n bits, which matches the method we use in our first signature scheme (mentioned in item 1 above). 4. A variant of the optimal method is to use an ordering on points/subgroups rather than j-invariants. At each step one sends an index k such that the isogeny φ : Again the verifier can reconstruct the path, but this requires factoring i -division polynomials. To be precise: Given a canonical ordering on the field of definition of E[ ], one can define a canonical ordering of the cyclic kernels, hence represent them by a single integer in {0, . . . , }. One can extend this canonical ordering to kernels of composite degrees in various simple ways (see also [3,Section 3.2]). If two curves are connected by two distinct isogenies of the same degree then either one can be chosen (it makes no difference in our protocols), so the ambiguity in exceptional cases is never a problem for us. In practice, since these points may be defined over an extension of F p 2 , we believe that ordering the roots of Φ i ( j i−1 , y) is significantly more efficient than ordering kernel subgroups.
Finally we give a brief analysis of the complexity of the basic operations required for our schemes, assuming fast (quasi-linear) modular and polynomial arithmetic.
As discussed above, an isogeny step of prime degree can be described by a single integer in {0, . . . , }. Similarly, by combining integers in a product, an isogeny of degree i e i i can be described by a single positive integer smaller than i ( i +1) e i . This integer can define either a list of subgroups (specified in terms of some ordering), or a list of supersingular j-invariants (specified in terms of an ordering on the roots of the modular polynomial). In the first case, at each step the verifier, given a j-invariant, will need to compute the curve equation, then its full i torsion (which may be over a large field extension), then to sort with respect to some canonical ordering the cyclic subgroups of order i to identify the correct one, and finally to compute the next j-invariant with Vélu's formulae [44]. In the second case, at each step the verifier, given a j-invariant, will need to specialize one variable of the i -th modular polynomial, then to compute all roots of the resulting univariate polynomial and finally to sort the roots to identify the correct one. The second method is more efficient as it does not require running Vélu's formulae over some large field extension, and the root-finding and sorting routines are applied on smaller inputs. We assume that the modular polynomials are precomputed.
In our second signature scheme we will have e i i = O(log p). The cost of computing an isogeny increases with the size of i . Hence it suffices to analyse the larger case, for which e i = 1 and i = O(log p). Assuming precomputation of the modular polynomials and using [46] for polynomial factorization, the most expensive part of an isogeny step is evaluating the modular polynomials Φ i (x, y) at x = j i−1 . As these polynomials are bivariate with degree i in each variable they have O( 2 i ) monomials and so this requires O(log 2 p) field operations for a total cost ofÕ(log 3 p) bit operations since j-invariants are defined over F p 2 . In our first signature scheme based on the De Feo-Jao-Plût protocol we have i = O(1) so each isogeny step costsÕ(log p) bit operations.
Alternatively, isogeny paths can be given as a sequence of j-invariants. To verify the path is correct one must compute Φ i ( j i−1 , j i ), which still requiresÕ(log 3 p) bit operations. However, in practice it would be much quicker to not require root-finding algorithms. Also, all the steps can be checked in parallel, and all the steps of a same degree are checked using the same polynomial, so we expect many implementation optimizations to be possible.

Identification Schemes and Security Definitions
In this section we recall the standard cryptographic notions of sigma-protocols and identification schemes. Good general references are Chapter 8 of Katz [28] and the lecture notes of Damgård [13] and Venturi [41]. A sigma-protocol is a three-round proof of knowledge of a relation. An identification scheme is an interactive protocol between two parties (a Prover and a Verifier). We use the terminology and notation of Abdalla-An-Bellare-Namprempre [1] (also see Bellare-Poettering-Stebila [5]). We also introduce a notion of "recoverability" which is implicit in the Schnorr signature scheme and seems to be folklore in the field. All algorithms below are probabilistic polynomial-time (PPT) unless otherwise stated.

Definition 2. Let λ be a security parameter and let
A sigma-protocol for the relation R is a 3-round interactive protocol between a prover P and a Verifier V. Both P and V are PPT algorithms with respect to the parameter λ. The prover holds a witness x for y ∈ L and the verifier is given y. The prover first sends a value α (the commitment) to the verifier, the verifier responds with a challenge β (chosen from some set of possible challenges), and the prover answers with γ . The verifier outputs 1 if it accepts the proof and zero otherwise. The triple (α, β, γ ) is called a transcript. Formally the protocol runs as α ← P(y, A sigma-protocol is complete if the verifier outputs 1 with probability 1. A transcript for which the verifier outputs 1 is called a valid transcript. A sigma-protocol is 2-special sound if there is an extractor algorithm X such that for any y ∈ L, given two valid transcripts (α, β, γ ) and (α, β , γ ) for the same first message α but β = β, then X (y, α, β, γ, β , γ ) outputs a witness x for the relation.
A sigma-protocol is honest verifier zero-knowledge (HVZK) if there is an efficient simulator S that on input y ∈ L generates valid transcripts (α, β, γ ) that are distributed identically to the transcripts of the real protocol. Formally, there exists a PPT simulator S such that for all PPT adversaries A, we have An identification (ID) scheme is an interactive protocol between two parties (a Prover and a Verifier), where the Prover aims to convince the Verifier that it knows some secret without revealing anything about it. This is achieved by the Prover first committing to some value, then the Verifier sending a challenge, and finally the Prover computing a response that depends on the commitment, the challenge and the secret.
where K is a randomised algorithm (key generation) that on input a security parameter λ outputs a pair (pk, sk); P is an algorithm taking input sk, random coins r and state information st, that returns a message; c is the length of the challenge (a function of the parameter k); and V is a deterministic verification algorithm that takes as input pk and a transcript and outputs 0 or 1. A transcript of an honest execution of the scheme ID is the sequence: cmt ← P(sk, r ), ch ← {0, 1} c , rsp ← P(sk, r, cmt, ch). On an honest execution we require that V(pk, cmt, ch, rsp) = 1.
An impersonator for ID is an algorithm I that plays the following game: I takes as input a public key pk and a set of transcripts of honest executions of the scheme ID; I outputs cmt, receives ch ← {0, 1} c and outputs rsp. We say that I wins if V(pk, cmt, ch, rsp) = 1. The advantage of I is | Pr(I wins) − 1 2 c |. We say that ID is secure against impersonation under passive attacks if the advantage is negligible for all probabilistic polynomial-time adversaries. An An ID-scheme is recoverable if there is a deterministic algorithm Rec such that for any transcript (cmt, ch, rsp) of an honest execution we have Rec(pk, ch, rsp) = cmt.
One can transform any 2-special sound ID scheme into a non-trivial scheme by running t sessions in parallel, and this is secure for classical adversaries (see Section 8.3 of [28]). We will not need this result in the quantum case. One first generates cmt i ← P(pk, sk) for 1 ≤ i ≤ t. One then samples ch ← {0, 1} ct and parses it as The successful cheating probability is then improved to 1/2 ct , which is non-trivial when t ≥ λ/c.
An ID-scheme is a special case of a sigma-protocol with respect to the relation defined by the instance generator K as (pk, sk) ← K , where we think of sk as a witness for pk. More generally, any sigma-protocol for a relation of a certain type can be turned into an identification scheme. [41]; Section 6 of [13]; Definition 15 of [40], where it is called "hard instance generator") A hard relation R on Y × X is one where there exists a PPT algorithm K that outputs pairs (y, x) ∈ Y × X such that R(y, x) = 1, but for all PPT adversaries A

Definition 4. (Definition 6 of
The following result is essentially due to Feige, Fiat and Shamir [18] and has become folklore in this generality. For the proof see Theorem 5 of [41].

Theorem 2.
Let R be a hard relation with generator K and let (P, V) be the prover and verifier in a sigma-protocol for R with c-bit challenges for some integer c ≥ 1. Suppose the sigma-protocol is complete, 2-special sound, and honest verifier zero-knowledge. Then (K , P, V, c) is a canonical identification scheme that is secure against impersonation under (classical) passive attacks.
Proof. The only difference between the sigma protocol and the ID-scheme is a change of notation from (y, x) ← K (1 λ ) to (pk, sk) ← K (1 λ ), α to cmt, β to ch and γ to rsp. For details see Theorem 5 of [41].

Signatures and the Fiat-Shamir Transform
For signature schemes we use the standard definition of existential unforgeability under chosen message attacks [29] (we sometimes abbreviate this to secure). An adversary can ask for polynomially many signatures of messages of his choice to a signing oracle Sign sk (·). Then, the attack is considered successful if the attacker is able to produce a valid pair of message and signature for a message different from those queried to the oracle.

Definition 5.
A signature scheme Π = (Gen, Sign, Verify) is said to be existentially unforgeable under adaptive chosen-message attacks (or secure, for short) if for all probabilistic polynomial time adversaries A with access to Sign sk (·), where Q is the set of messages queried by A to the Sign sk oracle, and #Q is polynomial in λ.
We now discuss the Fiat-Shamir transform [20] to build a signature scheme from an identification scheme. The idea is to make the interactive protocol ID = (K , P, V, c) non-interactive by using a random oracle to produce the challenges. Suppose the protocol ID must be executed in parallel t times to be non-trivial (with soundness probability 1/2 tc ). Let H be a random oracle that outputs a bit string of length ct.
-(pk, sk) ← K (λ): this is the same as in the identification protocol. The public key and secret key are the public key and the secret key from key generation algorithm K of the identification protocol.
If V returns 1 for all i then output 1, else output 0.

Theorem 3. ([1])
Let ID be a non-trivial canonical identification protocol that is secure against impersonation under passive attacks. Let S be the signature scheme derived from ID using the Fiat-Shamir transform. Then S is secure against chosenmessage attacks in the random oracle model. Remark 1. If the ID-scheme ID is recoverable then one can obtain a more compact signature scheme. Recall that "recoverable" (Definition 3) means there is a deterministic algorithm Rec such that for any transcript of an honest execution we have Rec(pk, ch, rsp) = cmt. We now describe the signature scheme.
If V returns 1 for all i then output 1, else output 0.
An attacker against this signature scheme can be turned into an attacker on the original signature scheme (and vice versa), which shows that both schemes have the same security. This is addressed in the following result. Proof. Let A be an algorithm that forges signatures against the signature scheme of Remark 1. We will convert A into an algorithm B that forges signatures for the original Fiat-Shamir signature scheme that is proved secure in Theorem 3.
Let B be given as input a public key pk, and call A on that key. When A makes a sign query or a hash query, pass these on as queries made by B. Results of hash queries are forwarded to A. When B gets back a signature (cmt 1 , . . . , cmt t , rsp 1 , . . . , rsp t ) for message m we compute h = H (m, cmt 1 , . . . , cmt t , ) and return to A the signature Finally A outputs a forgery σ * = (h * , rsp * 1 , . . . , rsp * t ) on message m. This is different from previous outputs of the sign oracle, which means that σ = (h, rsp 1 , . . . , rsp t ) for every output of the sign oracle. Note that this non-equality means either as a forgery on message m for the original scheme. We claim that this is also distinct from all other signatures that have been returned to B: if equal to some previous signature (cmt 1 , . . . , cmt t , rsp 1 , . . . , rsp t ) on message m then rsp * i = rsp i and h * = H (m, cmt * 1 , . . . , cmt * t ) = h, which violates the fact that σ * was a valid forgery on m.
Remark 2. The question of the output length t of the hash function depends on the security requirements. The conservative choice in the classical setting is t = 2λ, to avoid generic collision attacks. However, in the Fiat-Shamir transform the hash value is h = H (m, cmt 1 , · · · , cmt t ). To construct an existential forgery when given a signing oracle (or to break non-repudiation) it is sufficient to generate random commitments cmt 1 , · · · , cmt t and then find a collision in the hash function H (x) = H (x, cmt 1 , · · · , cmt t ). For a chosen-message forgery or non-repudiation it is necessary, given a chosen message m, to find a second message m with H (m, cmt 1 , · · · , cmt t ) = H (m , cmt 1 , · · · , cmt t ), which is essentially computing a second-preimage in the hash function. As a result, in most practical settings and if H behaves like a random oracle, then one can take t = λ. This optimisation was already mentioned in the original paper on Schnorr signatures, and has been discussed in detail by Neven-Smart-Warinschi [34]. It is known (see Section 6.2 of [7]) that sponge hash functions behave like a random oracle, as do truncated Merkle-Hellman functions. Hence, with a well-chosen hash function one can take t = λ. On the other hand, t = λ would not be sufficient for Merkle-Damgård functions [31,34].

Post-Quantum Alternatives To Fiat-Shamir
If one considers a quantum adversary who can make quantum queries to the random oracle then arguments in the classical random oracle model are not necessarily sufficient. Fortunately, an alternative transform was recently provided by Unruh [40], which converts a sigma-protocol into a signature scheme that is secure against a quantum adversary. The transform is also discussed by Goldfeder, Chase and Zaverucha [23].
Definition 17 of [40] gives a notion of security for signature schemes in the quantum random oracle model. The definition is identical to Definition 5 except that queries to the hash function (random oracle) may be quantum (note that queries to the Sign oracle remain classical).
We now set the scene for Unruh's transform. Let K be a generator for a hard relation as in Definition 4. Let P and V be a sigma-protocol for the relation, where the set of challenges is {0, 1} c and where 2 c is polynomial in the security parameter. Suppose the sigma-protocol is complete, n-special sound, and honest verifier zero-knowledge. Let t be a parameter so that 2 ct is exponential in the security parameter and let H : {0, 1} * → {0, 1} tc be a hash function that will be modelled as a random oracle. Let Γ be the set of possible responses γ (also denoted rsp) in the sigma-protocol. The transform also requires a quantum random oracle G : Γ → Γ which should be injective or at least be such that every element has at most polynomially many pre-images.
Unruh first gives a construction for a NIZK proof (Figure 1 of [40]) and then gives a construction for a signature scheme (Definition 16 of [40]). We collapse these into a single transform and use an optimisation from [23], essentially to define the challenges to be fixed bitstrings j = ch i, j so that they do not need to be hashed or checked.
-Sign(sk, m): Compute the commitments cmt i ← P(pk, sk) for 1 ≤ i ≤ t. Now, for each i and all 0 ≤ j < 2 c set ch i, j to be the binary representation of j. In other words {ch i, j : 0 ≤ j < 2 c } is the set of all c-bit binary strings, and so is the set of all possible challenges. For all 1 ≤ i ≤ t and 0 ≤ j < 2 c compute rsp i, j ← P(pk, sk, cmt i , ch i, j ) and g i, j = G(rsp i, j ) (note that this is t2 c values). Let T (the transcript) be a bitstring representing all commitments, challenges 7 and the values g i, j , so that Let h = H (pk, m, T ) and parse it as ch 1 , . . . , ch t where each value is in {0, 1} c . More precisely, write J i for the integer whose binary representation is the i-th block of c bits in the hash value so that ch i = ch i,J i . The signature is -Verify(m, σ, pk): Compute h = H (pk, m, T ) and parse it as t integers J 1 , . . . , J t .
Check that the challenges are correctly formed in T , that g i, If all checks are correct then output 1, else output 0. Proof. Apply Theorems 10, 13 and 18 of [40].

Theorem 5. ([40]) Let R be a hard relation with generator K and let (P, V) be the prover and verifier in a sigma-protocol for R with c-bit challenges for some integer
If the scheme is recoverable then the signature may be compressed in size by comput- However, compared with the original Fiat-Shamir transform, the saving in signature size is negligible since it is necessary to send all the g i, j as part of the signature.
Remark 3. In Unruh [40] the set Γ is of a fixed size and all responses have the same length. The quantum random oracle G is used to commit to all responses at the same time, and its domain and image sets have the same size to ensure that G is binding in an unconditional or at least statistical sense (i.e. a computationally binding commitment would not suffice). In our protocols however, the challenges are just one bit, and the responses to challenges 0 and 1 have different lengths. We therefore use two quantum random oracles G 0 and G 1 to hide responses to challenges 0 and 1 respectively.

Remark 4.
In practice we will replace the random oracle by a concrete hash function with a certain output length t. The correct choice of t in the quantum setting is still a subject of active research. As mentioned in Remark 2, a first question is whether one is concerned with chosen-message forgery/repudiation. The next question is to what extent quantum algorithms speed up collision finding. The third question is to consider a concrete analysis of the security proof for Unruh's transform, and any other factors in the security reduction that may be influenced by the hash output size. One conservative option is to assume that Grover's algorithm gives the maximal speedup for quantum algorithms, in which case one could take t = 3λ to ensure collision-resistance. Bernstein [6] has questioned the practicality of quantum collision-finding algorithms. Following his arguments, Goldfeder, Chase and Zaverucha [23] chose t = 2λ, and a similar choice was made in Yoo et al. [49]. On the other hand, Beals et al. [4] suggest there may be a quantum speedup that would require increasing t.
We keep t as a parameter that can be adjusted as more information comes to light. The tables in Section 4.7 are computed using the conservative choice t = 3λ.

Heuristic Assumptions used in this Paper
This paper makes use of several heuristic assumptions. All these assumptions say that some forms of the following approximations are valid.

Approximation 1. Let N 1 be a set and let
In several cases, N 1 will be the set of positive integers up to some bound, and N 2 will be a subset of integers with some factorization pattern. In this case, we will approximate |N 2 |/|N 1 | by the value naturally expected from the density of primes. More precisely: -In Section 4.3, Step 2c, the existence of β 2 is guaranteed if some linear system is invertible over Z N . Here N is an integer of cryptographic size, and the system is randomized through the selection of α and β 1 in Steps 2a and 2b. We assume that the probability of having a non invertible system is negligible. -In Lemma 6, we generate candidates for the ideals I i according to some distribution on the set of solutions of a quadratic form. Here there are O(log p) candidate ideals, and we assume that only O(log p) trials are needed to find the correct one. -In Section 4.3, Step 1, we construct a random element in an ideal I according to a specific distribution, and assume the reduced norm of this element will be a prime with a probability as given by the prime number theorem.
-In Section 4.3, Steps 2b and 2d, we generate integer elements according to a specific distribution, and we assume that the probability that these numbers are "Cornacchianice" (in the sense that Cornacchia's algorithm will run efficiently on them, which translates into some factorization pattern) only depends on their size, and is as expected for numbers of these sizes.
All assumptions except for the second one come from our use of (the powersmooth variant of) the quaternion isogeny algorithm in [33].
We expect that the first two assumptions above can be removed with a finer analysis, maybe together with some minor algorithmic changes and a moderate efficiency loss. In the case of the second assumption, trying all possible solutions to the quadratic form will maintain a polynomial complexity, though of a slightly bigger degree. One might then reduce that degree by exploiting the structure of all solutions leading to the same ideals.
On the other hand, a rigorous proof for the remaining assumptions seem to be beyond the reach of existing analytic number theory techniques. We stress that these sorts of assumptions are generally believed to be true by analytic number theory experts "unless there is a good reason for them to be false", such as some congruence condition. In the later case, we expect that simple tweaks to our algorithms will restore their correctness and improve their complexity.

First Signature Scheme
This section presents a signature scheme obtained from the interactive identification protocol of De Feo-Jao-Plût [19]. First we describe their scheme. The independent work [49] presents a signature scheme which is obtained in the same way, by applying the Fiat-Shamir or Unruh transformation to the De Feo-Jao-Plût identification protocol. Nevertheless, in this paper we obtain a smaller signature size.
The prover sends E 2 and E 3 to the verifier. 2. The verifier challenges the prover with a random bit ch ← {0, 1}. 3. If ch = 0, the prover reveals P 2 and ϕ(P 2 ) (for example by sending the integers  (a, b)).
In both cases, the verifier accepts the proof if the points revealed have the right order and are the kernels of isogenies between the right curves. We iterate this process to reduce the cheating probability.
Note that the response to challenge 0 is two points while the response to challenge 1 is one point. In other words, at first sight, the responses have different lengths. Compression techniques can be used in this case to ensure that responses all have the same length (see Section 4.2 of [49]).
The following theorem is the main security result for this section. The basic ideas of the proof are by De Feo-Jao-Plût [19], but we give a slightly different formalisation that is required for our signature proof. Theorem 6. If Problems 3 and 4 are computationally hard, then the interactive protocol defined above, repeated t times in parallel for a suitable parameter t, is a non-trivial canonical identification protocol that is secure against impersonation under passive attacks.
Proof. It is straightforward to check that the scheme is correct (in other words, the sigma protocol is complete). We now show that parallel executions of the sigma protocol are sound and honest verifier zero knowledge.
For soundness: Suppose A is an adversary that takes as input the public key and succeeds in the identification protocol with noticeable probability . Given a challenge instance (E 0 , E 1 , R 1 , S 1 , R 2 , S 2 , ϕ(R 2 ), ϕ(S 2 )) for Problem 3 we run A on this tuple as the public key. In the first round, A outputs commitments We then send a challenge ch ∈ {0, 1} t to A and, with probability outputs a response rsp that satisfies the verification algorithm. Now, we use the standard replay technique: Rewind A to the point where it had output its commitments and then respond with a different challenge ch ∈ {0, 1} t . With probability , A outputs a valid response rsp . Now, choose some index i such that ch i = ch i . We now restrict our focus to the components cmt i , rsp i and rsp i . It means A sent E 2 , E 3 and can answer both challenges ch = 0 and ch = 1 successfully. Hence we have an explicit description of the isogenies ψ, ψ and ϕ in the following diagram.
From this, one has an explicit description of an isogenyφ =ψ • ϕ • ψ from E 0 to E 1 . The degree ofφ is e 1 1 2e 2 2 . One can determine ker(φ) ∩ E 0 [ e 1 1 ] by iteratively testing points in E 0 [ and setting E 2 = E 0 / u R 2 + vS 2 and E 3 = E 1 / uϕ(R 2 ) + vϕ(S 2 ) . When b = 1 we choose a random curve E 2 and a random point R ∈ E 2 [ e 1 1 ] and we publish E 2 , E 3 = E 2 / R and answer with the point R (hence defining the isogeny). Although (E 2 , E 3 ) are a priori not distributed correctly, the computational assumption of Problem 4 implies it is computationally hard to distinguish the simulation from the real game. Hence the scheme has computational zero knowledge.
Finally we prove the identification scheme is secure against impersonation under passive attacks. Let I be an impersonator for the scheme. Given a challenge instance (E 0 , E 1 , R 1 , S 1 , R 2 , S 2 , ϕ(R 2 ), ϕ(S 2 )) for Problem 3 we run I on this tuple as the public key. We are required to provide I with a set of transcripts of honest executions of the scheme, but this is done using the simulation method used to show the sigma protocol has honest verifier zero knowledge. If I is able to succeed in its impersonation game then it breaks the soundness of the sigma protocol. We have already shown that if an adversary can break soundness then we can solve Problem 3. This completes the proof.

Classical Signature Scheme based on De Feo-Jao-Plût Identification Protocol
One can apply the Fiat-Shamir transform from Section 2.6 to the De Feo-Jao-Plût identification scheme to obtain a signature scheme. One can also check that the scheme is recoverable and so one can apply the Fiat-Shamir variant from Remark 1. In this section we fully specify the signature scheme resulting from the transform of Remark 1, together with some optimisations.
Our main focus is to minimise signature size. Hence, we use the most space-efficient variant of the Fiat-Shamir transform. Next we need to consider how to minimise the amount of data that needs to be sent to specify the isogenies. Several approaches were considered in Section 2.4. For the pair of vertical isogenies it seems to be most compact to represent them using a representation of the kernel (this is more efficient than specifying two paths in the isogeny graph), however this requires additional points in the public key. For the horizontal isogeny there are several possible approaches, but we think the most compact is to use the representation in terms of specifying roots of the modular polynomial. One can easily find other implementations that allow different tradeoffs of public key size versus signature size.
Key Generation Algorithm: On input a security parameter λ generate a prime p with at least 4λ bits, such that p = e 1 1 e 2 2 f ±1, with 1 , 2 , f small (ideally f = 1, 1 = 2, 2 = 3) and e 1 1 ≈ e 2 2 . Choose 8 a supersingular elliptic curve E 0 with #E 0 (F p 2 ) = ( e 1 1 e 2 2 f ) 2 and j-invariant j 0 . Fix points R 2 , S 2 ∈ E 0 (F p 2 )[ e 2 2 ] and a random primitive e 1 1 -torsion point P 1 ∈ E 0 [ e 1 1 ]. Compute the isogeny ϕ : E 0 → E 1 with kernel generated by P 1 , and let j 1 be the j-invariant of the image curve. Set R 2 = ϕ(R 2 ), S 2 = ϕ(S 2 ). Choose a hash function H with t = 2λ bits of output (see Remark 2). The secret key is P 1 , and the public key is ( p, j 0 , j 1 , R 2 , S 2 , R 2 , S 2 , H ). One can reduce the size of the public key by using different representations of isogeny paths, but for simplicity we use this variant.
Signature Algorithm: For i = 1, . . . , t, choose random integers 0 ≤ α i < e 2 2 . Compute the isogeny ψ i : E 0 → E 2,i with kernel generated by R 2 +[α i ]S 2 and let j 2,i = j (E 2,i ). Compute the isogeny ψ i : E 1 → E 3,i with kernel generated by R 2 + [α i ]S 2 and let j 3,i = j (E 3,i ). Compute h = H (m, j 2,1 , . . . , j 2,t , j 3,1 , . . . , j 3,t ) and parse the output as t challenge bits b i . For i = 1, . . . , t, if b i = 0 then set z i = α i . If b i = 1 then compute ψ i (P 1 ) and compute a representation z i of the j-invariant j 2,i ∈ F p 2 and the isogeny with kernel generated by ψ i (P 1 ) (for example, as a sequence of integers representing which roots of the 1 -division polynomial to choose at each step of a non-backtracking walk, or using a compact representation of ψ i (P 1 ) in reference to a canonical basis of E 2,i [ e 1 1 ]). Return the signature σ = (h, z 1 , . . . , z t ). Verification Algorithm: On input a message m, a signature σ and a public key P K , recover the parameters p, E 0 , E 1 . For each 1 ≤ i ≤ t, using the information provided by z i , one recomputes the j-invariants j 2,i , j 3,i . In the case b i = 0 this is done using z i = α i by computing the isogeny from E 0 with kernel generated by R 2 + [α i ]S 2 and the isogeny from E 1 with generated by R 2 + [α i ]S 2 . When b i = 1 then the value j 2,i is provided as part of z i , together with a description of the isogeny from E 2,i to E 3,i .
One then computes and checks that the value equals h from the signature. The signature is accepted if this is true and is rejected otherwise.

Theorem 7. If Problems 3 and 4 are computationally hard then the first signature scheme is secure in the random oracle model under a chosen message attack.
Proof. This follows immediately from Theorem 4, Theorem 2 and Theorem 6. 8 Costello-Longa-Naehrig [12] choose a special j-invariant in F p for efficiency reasons in their implementation of the supersingular key exchange protocol. One could also choose a random j-invariant by performing a random isogeny walk from any fixed j-invariant.
Efficiency: As isogenies are of degree roughly √ p, the scheme requires to use primes p of size 4λ to defeat meet-in-the-middle attacks. Assuming H is some fixed hash function and therefore not sent, the secret key is simply x(P 1 ) ∈ F p 2 . A trivial representation requires 2 log p = 8λ bits; however with a canonical ordering of the cyclic subgroups this can be reduced to 1 2 log p = 2λ bits. The public key is p and then j 0 , j 1 , x(R 2 ), x(S 2 ), x(R 2 ), x(S 2 ) ∈ F p 2 which requires 13 log 2 ( p) ≈ 52λ bits. The values of j 0 , x(R 2 ) and x(S 2 ) can be canonically fixed by the protocol, in which case the public key is only 7 log p ≈ 28λ bits. The values of x(R 2 ) and x(S 2 ) can also be avoided but at the expense of larger signature sizes. The signature size is analysed in Lemma 2.
De Feo et al [19] showed how to compute an e -isogeny in around e log(e) exponentiations/Vélu computations using what they call an "optimal strategy". Assuming quasi-linear costÕ(log( p 2 )) =Õ(λ) for the field operations, the total computational complexity of the signing and verifying algorithms isÕ(λ 3 ) bit operations.

Lemma 2. The average signature size of this scheme is
Proof. On average half the bits b i of the hash value are zero and half are one. When b i = 0 we send an integer α i such that 0 ≤ α i < e 2 2 , which requires log 2 ( e 2 2 ) ≈ 2λ bits. When b i = 1 we need to send j 2,i ∈ F p 2 , which requires 2 log 2 ( p) bits, followed by a representation of the isogeny. One can represent a generator of the kernel of the isogeny with respect to some canonical generators P 1 , Q 1 of E 2,i [ e 1 1 ] as β i such that 0 ≤ β i < e 1 1 , thus requiring log 2 ( e 1 1 ) bits. Alternatively one can represent the nonbacktracking sequence of j-invariants in terms of an ordering on the roots of the 1 -th modular polynomial. This also can be done in log 2 ( e 1 1 ) bits. For security level λ one can take t = λ (as explained in Remark 2), giving e 1 1 ≈ e 2 2 ≈ 2 2λ , p ≈ 2 4λ and so signatures are around 6λ 2 bits. The more conservative choice t = 2λ gives signatures of around 12λ 2 bits.

Post-Quantum Signature Scheme based on De Feo-Jao-Plût Identification Protocol
Next, we describe the signature scheme resulting from applying Unruh's transform to the identification scheme of De Feo-Jao-Plût, and we discuss its efficiency.
Key Generation Algorithm: On input a security parameter λ generate a prime p with at least 6λ bits, such that p = e 1 1 e 2 2 f ± 1, with 1 , 2 , f small (ideally f = 1, 1 = 2, 2 = 3) and e 1 1 ≈ e 2 2 > 2 3λ . Choose a supersingular elliptic curve E 0 with #E 0 (F p 2 ) = ( e 1 1 e 2 2 f ) 2 and j-invariant j 0 . Fix a canonical basis {R 2 , S 2 } for E 0 (F p 2 )[ e 2 2 ] and a random primitive e 1 1 -torsion point P 1 ∈ E 0 [ e 1 1 ]. Compute the isogeny ϕ : E 0 → E 1 with kernel generated by P 1 , and let j 1 be the j-invariant of the image curve. Set R 2 = ϕ(R 2 ), S 2 = ϕ(S 2 ). Choose a hash function H : {0, 1} * → {0, 1} t with t = 3λ bits of output (see Remark 4), and two hash functions G i : {0, 1} N i → {0, 1} N i for i = 0, 1, such that every element has polynomially many preimages. Here N i is an upper bound on the bitlength of the responses in the protocol when the challenge bit is i. The secret key is P 1 , and the public key is ( p, j 0 , j 1 , R 2 , S 2 , R 2 , S 2 , H, G). One can reduce the size of the public key by using different representations of isogeny paths, but for simplicity we use this variant.
Signing Algorithm : For i = 1, . . . , t, choose random integers 0 ≤ α i < e 2 2 . Compute the isogeny ψ i : E 0 → E 2,i with kernel generated by R 2 +[α i ]S 2 and let j 2,i = j (E 2,i ). Compute the isogeny ψ i : E 1 → E 3,i with kernel generated by R 2 + [α i ]S 2 and let j 3,i = j (E 3,i ). For i = 1, . . . , t, set z i,0 = α i and z i,1 as a representation of the jinvariant j 2,i ∈ F p 2 and the isogeny with kernel generated by ψ i (P 1 ) (for example, as a sequence of integers representing which roots of the 1 -modular polynomial to choose at each step of a non-backtracking walk, or using a compact representation of ψ i (P 1 ) in reference to a canonical basis of E 2,i [ e 1 1 ]).

. , g t,1−h t ).
Verification Algorithm: On input a message m, a signature σ and a public key P K , recover the parameters p, E 0 , E 1 . For each 1 ≤ i ≤ t, using the information provided by rsp i , one recomputes the j-invariants j 2,i , j 3,i . In the case h i = 0 this is done using rsp i = α i by computing the isogeny from E 0 with kernel generated by R 2 + [α i ]S 2 and the isogeny from E 1 with generated by R 2 + [α i ]S 2 . When h i = 1 then the value j 2,i is provided as part of rsp i , together with a description of the isogeny from E 2,i to E 3,i .
is the same as h from the signature. In this case the verifier accepts the proof, otherwise it is rejected.
We now show that this scheme is a secure signature.

Theorem 8. If Problems 3 and 4 are computationally hard then the first signature scheme is secure in the quantum random oracle model under a chosen message attack.
Proof. This follows immediately from Theorem 5, Theorem 2 and Theorem 6.
Efficiency: There are four reasons why the post-quantum variant of the signature is less efficient than the variant in Section 3.2. First, the prime p is larger in the post-quantum case due to the quantum attack on the isogeny problem due to Biasse, Jao and Sankar [8]. Second, one must compute responses to both values of the challenge bit, which essentially doubles the computation compared with the non-post-quantum case. Thirdly, one needs to send the values g i, j as part of the signature, which increases signature size. Note that we have introduced an optimisation that only sends half the values g i, j , since the missing values can be recomputed by the verifier. And fourth, the chosen value of t will be larger when aiming for quantum security, as per Remark 4. We now compute the average signature size. When h i = 0, responses are of the form α i for a random integer 0 ≤ α i < e 2 2 , and thus requiring N 0 ≈ log 2 e 2 ≈ 1 2 log p bits each. When h i = 1, responses encode the j-invariant j 2,i , which takes 2 log p bits to represent, and the isogeny with kernel generated by ψ i (P 1 ), which has degree e 1 1 , and thus requires log e 1 1 bits, for a total of N 1 ≈ 5 2 log p. Finally, we note that the average response length 3 2 log p is doubled as in Unruh transform a commitment to the other challenge value is simultaneously transmitted. The average size of signatures is therefore t + t · 3 log p. For λ bits of security, we choose log p = 6λ and t = 3λ, obtaining an average signature size of 54λ 2 .

Second Signature Scheme
We now present our main result. The main advantage of this scheme compared with the one in the previous section is that its security is based on the general problem of computing an isogeny between two supersingular curves, or equivalently on computing the endomorphism ring of a supersingular elliptic curve. Unlike the scheme in the previous section, the prime has no special property and no auxiliary points are revealed.

Identification Scheme Based on Endomorphism Ring Computation
The concept is similar to the graph isomorphism identification scheme, in which we reveal one of two graph isomorphisms, but never enough information to deduce the secret isomorphism.
As recalled in Section 2.4, although it is believed that computing endomorphism rings of supersingular elliptic curves is a hard computational problem in general, there are some particular curves for which it is easy.
Let L be the product of prime powers e up to B = 2 log( p) (this choice is based on Lemma 1). In other words, let 1 , . . . , r be the list of all primes up to B and let The public key is a pair (E 0 , E 1 ) and the private key is an isogeny ϕ : E 0 → E 1 of powersmooth degree L. 2. The prover performs a random walk starting from E 1 of powersmooth degree L in the graph, obtaining a curve E 2 and an isogeny ψ : E 1 → E 2 , and reveals E 2 to the verifier. 3. The verifier challenges the prover with a random bit b ← {0, 1}. 4. If b = 0, the prover sends ψ to the verifier.
If b = 1, the prover does the following: -Compute End(E 2 ) and translate the isogeny path between E 0 and E 2 into a corresponding ideal I giving the path in the quaternion algebra. -Use the Find new path algorithm to compute a "pseudo-canonical" path between End(E 0 ) and End(E 2 ) in the quaternion algebra, represented by an ideal J. -Translate the ideal J to an isogeny path η from E 0 to E 2 .
-Return η to the verifier. 5. The verifier accepts the proof if the answer to the challenge is indeed an isogeny between E 1 and E 2 or between E 0 and E 2 , respectively. To generate the public and private keys, we take a random isogeny (walk in the graph) ϕ : E 0 → E 1 of powersmooth degree L and, using this knowledge, compute End(E 1 ). The public information is E 1 . The secret is End(E 1 ), or equivalently a path from E 0 to E 1 . Under the assumption that computing the endomorphism ring is hard, the secret key cannot be computed from the public key only.
To prove knowledge of ϕ the prover will choose a random isogeny ψ : E 1 → E 2 and give E 2 to the verifier. The verifier challenges the prover to give either the isogeny ψ : E 1 → E 2 or an isogeny η : E 0 → E 2 . The fundamental problem is to find an isogeny η that does not leak any information about ϕ (in particular, the isogeny path corresponding to ψ • ϕ would not be a secure response). Our scheme uses the following three algorithms, that are explained in detail in later sections, that allow a "pseudocanonical" isogeny η to be computed (see Remark 5).
Translate isogeny path to ideal: Given E 0 , O 0 = End(E 0 ) and a chain of isogenies from E 0 to E 1 , to compute O 1 = End(E 1 ) and a left O 0 -ideal I whose right order is O 1 . Find new path: Given a left O 0 -ideal I corresponding to an isogeny E 0 → E 2 , to produce a new left O 0 -ideal J corresponding to an "independent" isogeny E 0 → E 2 of powersmooth degree. Translate ideal to isogeny path: Given E 0 , O 0 , E 2 , I such that I is a left O 0 -ideal whose right order is isomorphic to End(E 2 ), to compute a sequence of prime degree isogenies giving the path from E 0 to E 2 . Figure 1 gives the interaction between the prover and the verifier. One can see that Figure 1 gives a canonical, recoverable identification protocol, but it is not nontrivial as the challenge is only one bit. We repeat the protocol to reduce the cheating probability.
The isogenies involved in this protocol are summarized in the following diagram: The two translation algorithms mentioned above in the b = 1 case will be described in Section 4.4. They rely on the fact that End(E 0 ) is known. The algorithms are efficient when the degree of the random walk is powersmooth, and for this reason all isogenies in our protocols will be of powersmooth degree. The powersmooth version of the quaternion isogeny algorithm of Kohel-Lauter-Petit-Tignol will be described and analysed in Section 4.3. The random walks are taken of sufficiently large degree such that their output has close to uniform distribution, by Theorem 1 and Lemma 1.
In the next subsection we will prove the following result. Figure 1 is a non-trivial, recoverable canonical identification scheme that is secure against impersonation under (classical) passive attacks.

Theorem 9. Let λ be a security parameter and t ≥ λ. If Problem 6 is computationally hard, then the identification scheme obtained from t parallel executions of the protocol in
The advantage of this protocol over De Feo-Jao-Plût's protocol is that it relies on a more standard and potentially harder computational problem. In the rest of this section we first give a proof of Theorem 9, then we provide details of the algorithms involved in our scheme.

Proof of Theorem 9
We shall prove that the sigma protocol in Figure 1 is complete, 2-special sound and honest verifier zero-knowledge. It follows that t parallel executions of the protocol is non-trivial. The theorem will then follow from Theorem 2 and Problem 6 (which implies that the relation being proved is a hard relation).
Note that a standard random-self-reduction [26] shows that the computational hardness of Problem 6 remains essentially the same if the curves are chosen according to a distribution that is close to uniform.

Completeness.
Let ϕ be an isogeny between E 0 and E 1 of B-powersmooth degree, for B = O(log p). If the challenge received is b = 0, it is clear that the prover knows a valid isogeny ψ : E 1 → E 2 , so the verifier accepts the proof. If b = 1, the prover follows the procedure described above and the verifier accepts. In the next subsections we will show that this procedure is polynomial time.

2-special soundness.
Let (E 0 , E 1 ) be an instance of Problem 6 and set it to be the public key for the scheme. Suppose we are given transcripts (cmt, ch 1 , ch 2 , rsp 1 , rsp 2 ) for the single-bit scheme such that V(pk, cmt, ch i , rsp i ) = 1 for all i ∈ {1, 2}. Let E 2 = cmt. Since ch 1 = ch 2 the responses rsp 1 and rsp 2 therefore give two isogenies ψ : E 1 → E 2 , η : E 0 → E 2 . Given these two valid answers an extraction algorithm can compute an isogeny φ : E 0 → E 1 as φ =ψ • η, whereψ is the dual isogeny of ψ. The extractor outputs φ, which is a solution to Problem 6 (we stress that Problem 6 only asks for an arbitrary isogeny from E 0 to E 1 ). This is summarized in the following diagram.
Honest-verifier zero-knowledge. We shall prove that there exists a probabilistic polynomial time simulator S that outputs transcripts indistinguishable from transcripts of interactions with an honest verifier, in the sense that the two distributions are statistically close. Note that O 0 = End(E 0 ) is public information so is known to the simulator. The simulator starts by taking a random coin b ← {0, 1}.
-If b = 0, take a random walk from E 1 of powersmooth degree L, as in the real protocol, obtaining a curve E 2 and an isogeny ψ : E 1 → E 2 . The simulator outputs the transcript (E 2 , 0, ψ).
In this case, it is clear that the distributions of every element in the transcript are the same as in the real interaction, as they are generated in the same way. This is possible because, when b = 0, the secret is not required for the prover to answer the challenge. -If b = 1, take a random walk from E 0 of length L to obtain a curve E 2 and an isogeny μ : E 0 → E 2 , then proceed as in Step 4 of Figure 1 to produce another isogeny η : E 0 → E 2 . The simulator outputs the transcript (E 2 , 1, η).
The reason to output η instead of μ is to ensure that the transcript distributions are indistinguishable from the distributions in the real scheme. We first study the distribution of E 2 up to isomorphism. Let X r be the output of the random walk from E 1 to produce j (E 2 ) in the real interaction, and let X s be the output of the random walk from E 0 to produce j (E 2 ) in the simulation.
Let G be the set of all supersingular j-invariants, namely the vertex set of the isogeny graph. Note that #G = N p ≈ p/12. By Theorem 1 and Lemma 1, since the isogeny walks have degree L, we have, for any j ∈ G which is a negligible function of λ for any constant > 0. In other words, the statistical distance, between the distribution of j (E 2 ) in the real signing algorithm and the simulation, is negligible. Now, since η is produced in the same way from E 0 and E 2 in the simulation and in the real protocol execution, we have that the statistical distance between the distributions of η is also negligible. This follows from Lemma 3 in Section 4.3, which states that the output of the quaternion path algorithm does not depend on the input ideal, only on its ideal class.

Quaternion Isogeny Path Algorithm
In this section we sketch the quaternion isogeny algorithm from Kohel-Lauter-Petit-Tignol [33] and we evaluate its complexity when p = 3 mod 4. (The original paper does not give a precise complexity analysis; it only claims that the algorithm runs in heuristic probabilistic polynomial time.) This is the algorithm used for the Find new path procedure in the identification scheme.
The algorithm takes as input two maximal orders O, O in the quaternion algebra B p,∞ , and it returns a sequence of left O-ideals I 0 = O ⊃ I 1 ⊃ . . . ⊃ I e such that the right order of I e is in the same equivalence class as O . In addition, the output is such that the index of I i+1 in I i is a small prime for all i. The paper [33] focuses on the case where the norm of I e is e for some integer e, but it mentions that the algorithm can be extended to the case of powersmooth norms. We will only describe and use the powersmooth version. In our application there are some efficiency advantages from using isogenies whose degree is a product of small powers of distinct primes, rather than a large power of a small prime.
Note that the ideals returned by the quaternion isogeny path algorithm (or equivalently the right orders of these ideals) correspond to vertices of the path in the quaternion algebra graph, and to a sequence of j-invariants by Deuring's correspondence. In the next subsection we will describe how to make this correspondence explicit; here we focus on the quaternion algorithm itself.
An important feature of the algorithm is that paths between two arbitrary maximal orders O and O are always constructed as a concatenation of two paths from each maximal order to a special maximal order. As mentioned above, in our protocol and the discussion below we fix O 0 = 1, i, 1+k 2 , i+j 2 where i 2 = −1 and j 2 = −p. General references for maximal orders and ideals in quaternion algebras are [42,43,45].
We focus on the case where O = O 0 , and assume that instead of a second maximal order O we are given the corresponding left O 0 -ideal I as input (the two variants of the problem are equivalent). This will be sufficient for our use of the algorithm. We assume that I is given by a Z-basis of elements in O 0 . Note that in our context n(I ) is known, as it is the degree of the known isogeny. Denote by n(α) and n(I ) the norm of an element or ideal respectively. The equivalence class of maximal orders defines an equivalence class of O 0 -ideals, where two ideals I and J are in the same class if and only if I = J q with q ∈ B * p,∞ . Therefore our goal is, given a left O 0 -ideal I , to compute another left O 0 -ideal J with powersmooth norm in the same ideal class. Further, in order to be able to later apply Algorithm 2, we require the norm of I to be odd (but the Find new path algorithm also allows to find even norm ideals if desired). Without loss of generality we assume there is no integer s > 1 such that I ⊂ sO 0 , and that I = O 0 . The algorithm proceeds as follows: 1. Compute an element δ ∈ I and an ideal I = Iδ/n(I ) of prime norm N . 2. Find β ∈ I with norm N S where S is powersmooth and odd. 3. Output J = I β /N . To compute δ in Step 1, first a Minkowski-reduced basis {α 1 , α 2 , α 3 , α 4 } of I is computed [35]. To obtain Lemma 3 below we make sure that the Minkowski basis is uniformly randomly chosen among all such bases 9 . Then random elements δ = i x i α i are generated with integers x i in an interval [−m, m], where m is determined later, until the norm of δ is equal to n(I ) times a prime. A probable prime suffices in this context (actually Step 1 is not strictly needed but aims to simplify Step 2), so we can use the Miller-Rabin test to discard composite numbers with a large probability.
In Step 2a we need α ∈ I such that gcd(n(α), N 2 ) = N . This is easily achieved by taking α as a random small linear combination of a Minkowski basis, until the condition is met. Note that if α ∈ I is such that gcd(n(α), N 2 ) = N then J := O 0 N + O 0 α ⊆ I and J = O 0 N . Since the norm of O 0 N is N 2 and N is prime it follows that the norm of J is N and so J = I . In Step 2b the algorithm actually searches for β 1 = a + bi + cj + dk. A large enough powersmooth number S 1 is fixed a priori, then the algorithm generates small random values of c, d until the norm equation a 2 +b 2 = S 1 − p(c 2 +d 2 ) can be solved efficiently using Cornacchia's algorithm (for example, until the right hand side is a prime equal to 1 modulo 4).
Step 2c is just linear algebra modulo N . As argued in [33] it has a negligible chance of failure, in which case one can just go back to Step 2b. In Step 2d the algorithm a priori fixes S 2 large enough, then searches for integers a, b, c, d, λ with λ / ∈ N Z such that N 2 (a 2 +b 2 )+ p (λC + cN ) 2 + (λD + d N ) 2 = S 2 where we have β 2 = Cj + Dk. If necessary S 2 is multiplied by a small prime such that p(C 2 + D 2 )S 2 is a square modulo N , after which the equation is solved modulo N , leading to two solutions for λ. An arbitrary solution is chosen, and then looking at the equation modulo N 2 leads to a linear space of solutions for (c, d) ∈ Z N . The algorithm chooses random solutions until the equation can be efficiently solved with Cornacchia's algorithm.
The overall algorithm is summarized in Algorithm 1. We now prove two lemmas on this algorithm. The first lemma shows that the output of this algorithm only depends on the ideal class of I but not on I itself. This is important in our identification protocol, as otherwise part of the secret isogeny ϕ could potentially be recovered from η. The second lemma gives a precise complexity analysis of the algorithm, where [33] only showed probabilistic polynomial time complexity. Both lemmas are of independent interest.

Lemma 3. The output distribution of the quaternion isogeny path algorithm only depends on the equivalence class of its input. (In particular, the output distribution does not depend on the particular ideal class representative chosen for this input.)
Proof. Let I 1 and I 2 be two left O 0 -ideals in the same equivalence class, namely there exists q ∈ B * p,∞ such that I 2 = I 1 q. We show that the distribution of the ideal I computed in Step 1 of the algorithm is identical for I 1 and I 2 . As the inputs are not used anymore in the remainder of the algorithm this will prove the lemma.
In the first step the algorithm computes a Minkowski basis of its input, uniformly chosen among all possible Minkowski bases. Let B 1 = {α 11 , α 12 , α 13 , α 14 } be a Minkowski basis of I 1 . Then by multiplicativity of the norm we have that B 2 = {α 11 q, α 12 q, α 13 q, α 14 q} is a Minkowski basis of I 2 . The algorithm then computes random elements δ = i x i α i for integers x i in an interval [−m, m]. Clearly, for any element δ 1 computed when the input is I 1 , there corresponds an element δ 2 = δ 1 q computed when the input is I 2 . This is repeated until the norm of δ is a prime times n(I ). As n(I 2 ) = n(I 1 )n(q) the stopping condition is equivalent for both. Finally, an ideal I of prime norm is computed as Iδ/n(I ). Clearly when δ 2 = δ 1 q we have I 2δ2 n(I 2 ) = I 1 qqδ 1 n(q)n(I 1 ) = I 1δ1 n(I 1 ) . This shows that the prime norm ideal computed in Step 1 only depends on the equivalence class of the input. 12: β 1 = a + bi + cj + dk 13: Set β 2 as a solution of α = β 1 β 2 mod N O 0 with β 2 ∈ Zj + Zk. 14: Write β 2 = Cj + Dk. Try small odd primes r in increasing order until we find one such that (C 2 +D 2 )S 2 r N = 1, and set S 2 = S 2 r . Update s accordingly. 15: λ ← Solution of pλ 2 (C 2 + D 2 ) = S 2 mod N . 16: while a, b are not found do 17: The expected running time given in the following lemma relies on several heuristics related to the factorization of numbers generated following certain distributions (see Section 2.8). Intuitively all these heuristics say that asymptotically those numbers behave in the same way as random numbers of the same size. Proof. The Minkowski basis can be computed in O(log 2 X ), for example using the algorithm of [35]. For generic ideals the reduced norms of all Minkowski basis elements 10 are in O( √ p) (see [33,Section 3.1]). In the first loop we initially set m = log p . Assuming heuristically that the numbers N generated behave like random numbers we expect the box to produce some prime number. The resulting N will be inÕ( √ p). For some non generic ideals the Minkowski basis may contain a pair of elements with norms significantly smaller than O( √ p); in that case we can expect to finish the loop for smaller values of m by setting x 3 = x 4 = 0, and to obtain some N of a smaller size. Rabin's pseudo-primality test performs a single modular exponentiation (modulo a number of sizeÕ( √ p)), and it is passed by composite numbers with a probability at most 1/4. The test can be repeated r times to decrease this probability to 1/4 r . Assuming heuristically that the numbers tested behave like random numbers the test will only be repeated a significant amount of times on actual prime numbers, so in total it will be repeated O(log p) times. This leads to a total complexity ofÕ(log 3 p) bit operations for the first loop using fast (quasi-linear) modular multiplication. The other two loops involve solving equations of the form x 2 + y 2 = M. For such an equation to have solutions it is sufficient that M is a prime with M = 1 mod 4, a condition that is heuristically satisfied after 2 log M random trials. Choosing S 1 and S 2 as in the algorithm ensures that the right-hand term of the equation is positive, and (assuming this term behaves like a random number of the same size) is of the desired form for some choices (c, d), at least heuristically. Cornacchia's algorithm runs in timẽ O(log 2 M), which is alsoÕ(log 2 p) in the algorithm. The pseudo-primality tests will requireÕ(log 3 p) operations in total, and their cost will dominate both loops.

Algorithm 1 Find new path algorithm
Computing β 2 is just linear algebra modulo N ≈Õ( √ p) and this cost can be neglected. The last two steps can similarly be neglected. As a result, we get an overall cost ofÕ(log 3 p) bit operations for the whole algorithm. Let s = 7 2 log p. We have n(J ) = n(I )n(β 1 )n(β 2 )/N 2 so neglecting log log factors log n(J ) ≈ 1 2 log p + log p + 3 log p − log p = 7 2 log p. We make the heuristic assumption that log n(J ) = ( 7 2 + o(1)) log p. Moreover heuristically p e i i <s p e i i ≈ (s) s/ log s ≈ p 7/2+o(1) so we can expect to find S 1 S 2 that is s-powersmooth and of the correct size.

Remark 5.
A subtle issue is to understand in what sense the output of Algorithm 1 is a "random" isogeny. The algorithm appears to make many random choices: first a "random ideal" I is chosen, then a "random" element β 1 is constructed, then an "arbitrary" β 2 is constructed, and finally the ideal J is output. However, a crucial observation is Lemma 3: since J is equivalent to I the output does not actually depend heavily on these choices (essentially the "choices all cancel each other out"). There is only a small set of actual isogenies η that will be output by this algorithm (once the parameter L and other smoothness bounds are fixed). For this reason, we can view the output as "independent" of I (and hence of ϕ) and the isogeny η as a "pseudo-canonical" choice of isogeny from E 0 to E 2 .

Step-by-Step Deuring Correspondence
We now discuss algorithms to convert isogeny paths into paths in the quaternion algebra, and vice versa. This will be necessary in our protocols as we are sending curves and isogenies, whereas the process uses the quaternion isogeny algorithm.
All the isogeny paths that we will need to translate in our signature scheme will start from the special j-invariant j 0 = 1728. We recall (see beginning of Section 4.1) that this corresponds to the curve E 0 with equation y 2 = x 3 + x and endomorphism ring End(E 0 ) = 1, φ, 1+πφ 2 , π +φ 2 . Moreover there is an isomorphism of quaternion algebras sending (1, i, j, k) to (1, φ, π, πφ).
For any isogeny ϕ : E 0 → E 1 of degree n, we can associate a left End(E 0 )-ideal I = Hom(E 1 , E 0 )ϕ of norm n, corresponding to a left O 0 -ideal with the same norm in the quaternion algebra B p,∞ . Conversely every left O 0 -ideal arises in this way [32,Section 5.3]. In our protocol we will need to make this correspondence explicit, namely we will need to pair up each isogeny from E 0 with the correct O 0 -ideal. Moreover we need to do this for "large" degree isogenies to ensure a good distribution via our random walk theorem.

Translating an ideal to an isogeny path.
Let E 0 and O 0 = End(E 0 ) be given, together with a left O 0 -ideal I corresponding to an isogeny of degree n. We assume I is given as a Z-basis {α 1 , . . . , α 4 }. The main idea to determine the corresponding isogeny explicitly is to determine its kernel [47].
Assume for the moment that n is a small prime. One can compute generators for all cyclic subgroups of E 0 [n], each one uniquely defining a degree n isogeny which can be computed with Vélu's formulae. A generator P then corresponds to the basis {α 1 , . . . , α 4 } if and only if α j (P) = 0 for all 1 ≤ j ≤ 4. To evaluate α(P) with α ∈ I and P ∈ E 0 [n], we first write α = (u + vi + wj + xk)/2, then we compute P such that [2]P = P and finally we evaluate [u]P + [v]φ(P ) + [w]π(P ) + [x]π(φ(P )). To show that any such P works, write β = u + vi + wj + xk.
Since any other choice of P is P + T for some T ∈ E 0 [2] the choice of P does not matter.
An alternative to trying all subgroups is to choose a pair {P 1 , P 2 } of generators for E 0 [n] and, for some α ∈ I , solve the discrete logarithm instance (if possible) α(P 2 ) = [x]α(P 1 ). It follows that α(P 2 − [x]P 1 ) = 0 and so we have determined a candidate point in the kernel of the isogeny. Both solutions are too expensive for large n.
When n = e the degree n isogeny can be decomposed into a composition of e degree isogenies. If P is a generator for the kernel of the degree e isogeny then e−i+1 P is the kernel of the degree i isogeny corresponding to the first i steps. One can therefore perform the matching of ideals with kernels step-by-step with successive approximations of I or P respectively. This algorithm is more efficient than the previous one, but it still requires to compute e torsion points, which in general may be defined over a degree e extension of F p 2 . To ensure that the e torsion is defined over F p 2 one can choose p such that e | ( p ± 1) as in the De Feo-Jao-Plût protocols; however for general p this translation algorithm will still be too expensive.
We solve this efficiency issue by using powersmooth degree isogenies in our protocols. When n = i e i i with distinct primes i , one reduces to the prime power case as follows. For simplicity we assume that 2 does not divide n. The isogeny of degree n can be decomposed into a sequence of prime degree isogenies. For simplicity we assume the isogeny steps are always performed in increasing degree order; we can require that this is indeed the case in our protocols. However, rather than working with points on a sequence of elliptic curves, we work entirely on E 0 . Using a Chinese Remainder Theorem-like representation, points in E 0 [n] can be represented as a sequence of points in E 0 [ e i i ]. When one wishes to compute the corresponding sequence of isogenies ϕ i : E i−1 → E i , each of degree e j j , it is necessary to transport the appropriate kernel points across to E i−1 along the isogenies already computed.
Given a left O 0 -ideal I , Algorithm 2 progressively identifies the corresponding isogeny sequence. When determining points in ker(α) ∩ E 0 [ e i i ] the algorithm uses a natural optimisation of reducing the coefficients of α modulo e i i . Write α ik = (u ik + v ik i + w ik j + x ik k)/2. 10:

Algorithm 2 Translating ideal to isogeny path
for j = 1, 2 do 11: 12: Solve ECDLP to compute Q i of order e i i such that α ik (Q i ) = 0 for all k 13: Compute φ i = isogeny with kernel ϕ i−1 (Q i ) (compute with Vélu's formulae). 14: Set In our protocols we will have e i i = O(log n) = O(log p); moreover we will be using O(log p) different primes. The complexity of Algorithm 2 under these assumptions is given by the following lemma. Note that almost all primes i are such that √ B < i ≤ B and so e i = 1, hence we ignore the obvious -adic speedups that can be obtained in the rare cases when i is small. Proof. Without any assumption on p the e i i torsion points will generally be defined over e i i degree extension fields, hence they will be of O(log 2 p) size. However the isogenies themselves will be rational, i.e. defined over F p 2 . This means their kernel is defined by a polynomial over F p 2 . Isogenies over F p 2 of degree d can be evaluated at any point in F p 2 using O(d) field operations in F p 2 .
Let d = e i i . To compute a basis of the d-torsion, we first factor the division polynomial over F p 2 . This polynomial has degree O(d 2 ) = O(log 2 p). Using the algorithm in [30] this can be done inÕ(log 4 p) bit operations. Since the isogenies are defined over F p 2 , this will give factors of degree at most (d − 1)/2, each one corresponding to a cyclic subgroup. We then randomly choose some factor with a probability proportional to its degree, and we factor it over its splitting field, until we have found a basis of the d-torsion.
After O(1) random choices we will have a basis of the d-torsion. Each factorization costsÕ(log 5 p) using the algorithm in [46], and verifying that two points generate the d-torsion can be done with O(d) field operations. It then takes O(d) field operations to compute generators for all kernels. As r = O(log p) we deduce that the first loop requiresÕ(log 6 p) bit operations.
Computing P i jk involves Frobenius operations and multiplications by scalars bounded by d (and so O(log log p) bits). This requires O(log log p) field operations, that is a total ofÕ(log 3 p) bit operations. Any cyclic subgroup of order e i i is generated by a point Q i = a P i1 + bP i2 , and the image of this point by α ik is a P i1k + bP i2k . One can determine the integers a, b by an ECDLP computation or by testing random choices. There are roughly e i i = O(log p) subgroups, and testing each of them requires at most O(log log p) field operations, so finding Q i requiresÕ(log p) field operations. Evaluating ϕ i−1 (Q i ) requires O(log 2 p) field operations. Computing the isogeny φ i can be done in O(log p) field operations using Vélu's formulae. As r = O(log p) we deduce that the second loop requiresÕ(log 5 p) bit operations.
We stress that in our signature algorithm, Algorithm 2 will be run O(log p) times. However the torsion points are independent of both the messages and the keys, so they can be precomputed. Hence the "online" running time of Algorithm 2 isÕ(log 5 p) bit operations per execution.

Translating an isogeny path to an ideal.
Let E 0 , E 1 , . . . , E r be an isogeny path and suppose φ i : E i−1 → E i is of degree e i i . We define I 0 = O 0 . Then for i = 1, . . . , r we compute an element α i ∈ I i−1 and an ideal I i = I i−1 e i i + O 0 α i that corresponds to the isogeny φ i • · · · • φ 1 . This is analogous in the power-smooth case to the notation I i as used in Section 4.3; in particular I 0 = O 0 ⊃ I 1 ⊃ . . . ⊃ I r . The idea is to determine suitable endomorphisms α i ∈ I i−1 with the desired norm and that kill the required kernel point. In our protocols we will have e i i = O(log n) = O(log p); moreover we will be using O(log p) different primes. The complexity of Algorithm 3 for these parameters is given by the following lemma. Proof. The input consists of a sequence of isogenies, and we remind that the representation of an isogeny is usually by explicitly specifying a kernel point (or else equivalent information, such as a polynomial whose roots are the kernel points). We remind that the e i i torsion points will generally be defined over degree e i i extension fields, hence they will be of O(log 2 p) size. Isogenies of degree d can be evaluated at any point using O(d) field operations.
When the degree is odd the isogeny φ i is naturally given by a polynomial ψ i such that the roots of ψ i correspond to the x-coordinates of affine points in ker ϕ i . To identify a generator Q i we first factor ψ i over F p 2 . Using the algorithm in [46] this can be done withÕ(log 3 p) bit operations. We choose a random irreducible factor with a probability proportional to its degree, we use this polynomial to define a field extension of F p 2 , and we check whether the corresponding point is of order e i i . If not we choose another irreducible factor and we repeat. We expect to only need to repeat this O(1) times, and each step requiresÕ(log p) bit operations. So the total cost for line 3 isÕ(log 3 p).
Step 4 requires O(log log p) field operations to compute a point Q i such that [2]Q i = Q i . After that it mostly requires O(log p) field operations to compute the Frobenius map. The total cost of this step is thereforeÕ(log 3 p).
Basis elements for all the ideals I i appearing in the algorithm can be reduced modulo O 0 n, hence their coefficients are of size log n = O(log p).
To compute a random solution to f i modulo e i i , we choose uniformly random values for w, x, y, and when the resulting quadratic equation in z has solutions modulo e i i we choose a random one.  ). Computing each f i costsÕ(log p) bit operations.
As r = O(log p) the total cost of the algorithm isÕ(log 4 p).
One can check that all integers in the algorithm are bounded in terms of n, and so coefficients are of size X where log X = O(log n) = O(log p).
Recall that the condition log X = O(log p) is needed in Lemma 4.

Classical Signature Scheme based on Endomorphism Ring Computation
In this section we give the details of our second signature scheme based on our new identification protocol, with security relying on computing the endomorphism ring of a supersingular elliptic curve.
Key Generation Algorithm: On input a security parameter λ generate a prime p with 2λ bits, which is congruent to 3 modulo 4. Let E 0 : y 2 = x 3 + Ax over F p be supersingular, and let O 0 = End(E 0 ). Fix B, S 1 , S 2 as small as possible 11 such that S k := i Perform a random isogeny walk of degree S 1 from the curve E 0 with j-invariant j 0 = 1728 to a curve E 1 with j-invariant j 1 . Compute O 1 = End(E 1 ) and the ideal I corresponding to this isogeny. Choose a hash function H with t bits of output (e.g., t = λ or, more conservatively, t = 2λ). The public key is pk = ( p, j 1 , H ) and the secret key is sk = O 1 , or equivalently I .
Signing Algorithm: On input a message m and keys (pk, sk), recover the parameters p and j 1 . For i = 1, . . . , t, generate a random isogeny walk w i of degree S 2 , ending at a j-invariant j 2,i . Compute h := H (m, j 2,1 , . . . , j 2,t ) and parse the output as t challenge bits b i . For i = 1, . . . , t, if b i = 1 use w i and Algorithm 3 of Section 4.4 to compute the corresponding ideal I i and hence its right order O 2,i = End(E 2,i ), then use the algorithm of Section 4.3 on input I I i to compute a "fresh" path between O 0 and O 2,i , and finally use Algorithm 2 to compute an isogeny path w i from j 0 to j 2,i . If b i = 0 set z i := w i , otherwise set z i := w i . Return the signature σ = (h, z 1 , . . . , z t ).
Verification Algorithm: On input a message m, a signature σ and a public key pk, recover the parameters p and j 1 . For each 1 ≤ i ≤ t one uses z i to compute the image curve E 2,i of the isogeny. Hence the verifier recovers the j-invariants j 2,i for 1 ≤ i ≤ t. The verifier then recomputes the hash H (m, j 2,1 , . . . , j 2,t ) and checks that the value is equal to h, accepting the signature if this is the case and rejecting otherwise.
We now show that this scheme is a secure signature.
Theorem 10. If Problem 6 is computationally hard then the signature scheme is secure in the random oracle model under a chosen message attack.
Proof. As shown in Section 4.2, if Problem 6 is computationally hard then the identification scheme (sigma protocol) has 2-special soundness and honest verifier zeroknowledge. Theorem 2 therefore implies that the identification scheme is secure against impersonation under passive attacks. It follows from Theorem 3 that the signature scheme is secure in the random oracle model.
Efficiency: As the best classical algorithm for computing the endomorphism ring of a supersingular elliptic curve runs in timeÕ( √ p) one can take log p = 2λ. By Theorem 1 and Lemma 1, taking B ≈ 2(1 + ) log p ensures that the outputs of random walks are distributed uniformly enough. Random walks then require 2(1+ ) log p bits to represent, so signatures are bits on average, depending on the challenge bits. For λ bits of security, we choose t = λ, so the average signature length is approximately λ + ( λ 2 )(4(1 + )λ + 7λ) ≈ 1 2 (11 + 4 )λ 2 ≈ 11 2 λ 2 . The conservative choice t = 2λ gives signatures of size approximately 11λ 2 bits.
Private keys are 2(1 + ) log p ≈ 4λ bits if a canonical representation of the kernel of the isogeny between E 0 and E 1 is stored. This can be reduced to 2λ bits for generic E 1 : if I is the ideal corresponding to this isogeny, it is sufficient to store another ideal J in the same class, and for generic E 1 there exists one ideal of norm n ≈ √ p. To represent this ideal in the most efficient way, it is sufficient to give n and a second integer defining the localization of I at every prime factor of n, for canonical embeddings of B p,∞ into M 2 (Q ), where M 2 (Q ) is the group of 2 × 2 matrices over the -adics. This reduces storage costs to roughly 2λ bits. Public keys are 3 log p = 6λ bits. A signature mostly requires t calls to the Algorithms of Sections 4.3 and 4.4 , for a total cost ofÕ(λ 6 ). Verification requires to check O(λ) isogeny walks, each one comprising O(λ) steps with a cost O(λ 2 ) field operations each when modular polynomials are precomputed, hence a total cost ofÕ(λ 6 ) bit operations (under the same heuristic assumptions as in Lemma 4).
Optimization with Non Backtracking Walks: In our description of the signature scheme we have allowed isogeny paths to "backtrack". We made this choice to simplify the convergence analysis of random walks and because it does not affect the asymptotic complexity of our schemes significantly. However in practice at any concrete security parameter, it will be better to use non-backtracking random walks as they will converge more quickly to a uniform distribution [2].

Post-Quantum Signature Scheme based on Endomorphism Ring Computation
We briefly describe the signature scheme arising from applying Unruh's transform to the identification protocol of Section 4.
Key Generation Algorithm: On input a security parameter λ generate a prime p with 4λ bits, which is congruent to 3 modulo 4. Let E 0 : y 2 = x 3 + Ax over F p be supersingular, and let O 0 = End(E 0 ). Set t = 3λ. Fix B, S 1 , S 2 as in the key generation algorithm of Section 4.5. Perform a random isogeny walk of degree S 1 from the curve E 0 with j-invariant j 0 = 1728 to a curve E 1 with j-invariant j 1 . Compute O 1 = End(E 1 ) and the ideal I corresponding to this isogeny. Choose a hash function H : {0, 1} * → {0, 1} t . Let N 0 ≈ 2 log p and N 1 ≈ 7 2 log p be upper bounds for the bitlengths of the representations of isogeny paths in the algorithm, respectively in responses to challenges 0 and 1. For i = 0, 1 let G i : {0, 1} N i → {0, 1} N i be a hash function such that every element has polynomially many preimages. The public key is pk = ( p, j 1 , H, G 0 , G 1 ) and the secret key is sk = O 1 , or equivalently I .
Signing Algorithm: On input a message m and keys (pk, sk), recover the parameters p and j 1 . For i = 1, . . . , t generate a random isogeny walk w i of degree S 2 , ending at a j-invariant j 2,i .
For i = 1, . . . , t apply Algorithm 3 of Section 4.4 to compute the ideal I i corresponding to the isogeny path w i , then use the algorithm of Section 4.3 on input I I i to compute a "fresh" ideal corresponding to a path between O 0 and O 2,i , and finally use Algorithm 2 to compute an isogeny path w i from j 0 to j 2,i .
Verification Algorithm: On input a message m, a signature σ and a public key pk, recover the parameters p and j 1 .
For each 1 ≤ i ≤ t one uses rsp i to compute the image curve E 2,i of the isogeny (if h i = 0 then rsp i is a path from E 1 and if h i = 1 then it is a path from E 0 ). Hence the verifier recovers the j-invariants j 2,i for 1 ≤ i ≤ t.
If h = h then the verifier accepts the signature and otherwise rejects.
We now show that this scheme is a secure signature.
Theorem 11. If Problem 6 is computationally hard then the signature scheme is secure in the quantum random oracle model under a chosen message attack.
Proof. As shown in Section 4.2, if Problem 6 is computationally hard then the identification scheme (sigma protocol) has 2-special soundness and honest verifier zeroknowledge. A result of Unruh [40] then implies that the signature scheme is secure in the quantum random oracle model.
Efficiency: For the same reasons as in the application of the Unruh transform to the De Feo-Jao-Plût scheme, this signature scheme is less efficient than its classical counterpart. Again, we only send half the values g i, j , since the missing values can be recomputed by the verifier. The average signature size is t + t ((2 log p + 7 2 log p)), on the basis that half the challenge bits are 0 and half of them are 1. For λ bits of security, we choose log p = 4λ and t = 3λ. Then the average signature size is approximately 66λ 2 .

Comparison
Tables 1 and 2 summarize the main efficiency features of the four signature schemes based either on De Feo-Jao-Plût or on our new identification scheme, and on the Fiat-Shamir or Unruh transforms. The numbers provided were obtained by optimizing signature sizes first, then signing and verification time and finally key sizes; other trade-offs are of course possible. The scheme based on the De Feo-Jao-Plût identification protocol and Unruh transform was discovered independently in [49]; the version we give incorporates optimizations that reduce the signature sizes for the same security guarantees 12 . Signatures based on De Feo-Jao-Plût identification protocol are simpler and somewhat more efficient than signatures based on our new identification protocol; however the latter have the advantage to rely on more standard and potentially harder computational problems. Schemes based on the Fiat-Shamir transform are more efficient than schemes based on Unruh's transform; however the latter provide security guarantees against quantum adversaries. Table 1 and a quick comparison with RSA signatures suggest that isogeny-based signatures schemes may be efficient enough for practical use. Indeed for RSA signatures, 12 Both signature sizes depend linearly on a parameter t which we fixed in a more conservative manner than Yoo et al. With t = 2λ their signatures are 69λ 2 bits and ours are 48λ 2 bits, and with t = 3λ their signatures are 103.5λ 2 bits and ours are 72λ 2 bits. key sizes are cubic in the security parameter, and signing and verification times are respectively quasi-quadratic and quasi-linear in the key sizes (the latter assuming a small public key exponent is used), amounting toÕ(λ 3 ) andÕ(λ 6 ). As for concrete parameters, key sizes are much smaller for isogeny-based signatures than for RSA signatures and comparable to ECDSA signatures. Further work in this area should aim at decreasing signature sizes.

Conclusion
We have presented two signature schemes based on supersingular isogeny problems. Both schemes are built from a parallel execution of an identification scheme with bounded soundness, using the Fiat-Shamir transform. The first scheme is built directly from the De Feo-Jao-Plût identification protocol with some optimization. A similar scheme was given by Yoo, Azarderakhsh, Jalali, Jao and Soukharev [49]. The second scheme is more involved, and introduces a new randomisation method for isogeny paths. A crucial ingredient for our second protocol is the quaternion isogeny algorithm of Kohel-Lauter-Petit-Tignol [33] in the powersmooth case, for which we provide a more complete description and analysis. The first scheme is significantly more efficient, but the second one is based on an arguably more standard and potentially harder computational problem.
Our schemes rely on problems that can potentially resist quantum algorithms. However this family of problems are also are rather new in cryptography. Among all of them, we believe that the problem of computing the endomorphism ring of a supersingular elliptic curve (on which our second signature scheme relies) is the most natural one to consider from an algorithmic theory point of view, and it was the subject of Kohel's PhD thesis in 1996 [32,Chapter 7]. The problem is also potentially harder than Problems 3 and 4 considered in previous works (and used in our first signature scheme). Yet, even that problem is far from having received the same scrutiny as more established cryptography problems like discrete logarithms or integer factoring. We hope that this paper will encourage the community to study its complexity.