article

Computational problems in supersingular elliptic curve isogenies

Authors:

Steven D. Galbraith,

Frederik VercauterenAuthors Info & Claims

Quantum Information Processing, Volume 17, Issue 10

Pages 1 - 22

https://doi.org/10.1007/s11128-018-2023-6

Published: 01 October 2018 Publication History

Abstract

We present an overview of supersingular isogeny cryptography and how it fits into the broad theme of post-quantum public-key crypto. The paper also gives a brief tutorial of elliptic curve isogenies and the computational problems relevant for supersingular isogeny crypto. Supersingular isogeny crypto is attracting attention due to the fact that the best attacks, both classical and quantum, require exponential time. However, the underlying computational problems have not been sufficiently studied by quantum algorithm researchers, especially since there are significant mathematical preliminaries needed to fully understand isogeny crypto. The main goal of the paper is to advertise various related computational problems and to explain the relationships between them, in a way that is accessible to experts in quantum algorithms.

References

[1]

Bernstein, D.J., Buchmann, J., Dahmen, E.: Post-Quantum Cryptography. Springer, Berlin (2009)

Digital Library

[2]

Biasse, J.-F., Jao, D., Sankar, A.: A quantum algorithm for isogenies between supersingular elliptic curves. In: Meier, W., Mukhopadhyay, D. (eds), INDOCRYPT 2014, Springer LNCS 8885, pp. 428---442 (2014)

[3]

Biasse, J.-F., Fieker, C., Jacobson Jr., M.J.: Fast heuristic algorithms for computing relations in the class group of a quadratic order, with applications to isogeny evaluation. LMS J. Comput. Math. 19(A), 371---390 (2016)

[4]

Bisson, G., Sutherland, A.V.: Computing the endomorphism ring of an ordinary elliptic curve over a finite field. J. Number Theory 131(5), 815---831 (2011)

[5]

Bisson, G., Sutherland, A.V.: A low-memory algorithm for finding short product representations in finite groups. Des. Codes Cryptogr. 63(1), 1---13 (2012)

Digital Library

[6]

Broker, R.: Constructing supersingular elliptic curves. J. Comb. Number Theory 1 1(3), 269---273 (2009)

[7]

Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J.: CSIDH: An Efficient Post-Quantum Commutative Group Action. IACR Cryptology ePrint Archive 2018/383

[8]

Childs, A.M., Jao, D., Soukharev, V.: Constructing elliptic curve isogenies in quantum subexponential time. J. Math. Cryptol. 8(1), 1---29 (2014)

[9]

Charles, D.X., Lauter, K.E., Goren, E.Z.: Cryptographic hash functions from expander graphs. J. Cryptol. 22(1), 93---113 (2009)

Digital Library

[10]

Costello, C., Longa, P., Naehrig, M.: Efficient algorithms for supersingular isogeny Diffie---Hellman. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Springer LNCS 9814, pp. 572---601 (2016)

Digital Library

[11]

Costello, C., Jao, D., Longa, P., Naehrig, M., Renes, J., Urbanik, D.: Efficient compression of SIDH public keys In: Coron, J.-S., Nielsen, J.B. (ed.) EUROCRYPT 2017, Springer LNCS 10210, pp. 679---706 (2017)

[12]

Couveignes, J.-M.: Hard homogeneous spaces. Cryptology ePrint Archive, Report 2006/291 (2006)

[13]

Cox, D.A.: Primes of the Form x2 + ny2: Fermat, Class Field Theory, and Complex Multiplication. Wiley, London (1997)

[14]

De Feo, L., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptol. 8(3), 209---247 (2014)

[15]

De Feo, L.: Mathematics of isogeny based cryptography. Notes from a summer school on Mathematics for Post-quantum cryptography. http://defeo.lu/ema2017/poly.pdf

[16]

Delfs, C., Galbraith, S.D.: Computing isogenies between supersingular elliptic curves over $${\mathbb{F}}_p$$Fp. Des. Codes Cryptogr. 78(2), 425---440 (2016)

Digital Library

[17]

Eisenträger, K., Hallgren, S., Lauter, K., Morrison, T., Petit, C.: Supersingular isogeny graphs and endomorphism rings: reductions and solutions. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018 (3), Springer LNCS 10822, pp. 329---368 (2018)

[18]

Galbraith, S.D.: Constructing isogenies between elliptic curves over finite fields. LMS J. Comput. Math. 2(1), 118---138 (1999)

[19]

Galbraith, S.D.: Mathematics of Public Key Cryptography. Cambridge University Press, Cambridge (2012)

Digital Library

[20]

Galbraith, S.D., Hess, F., Smart, N.P.: Extending the GHS weil descent attack. In: Knudsen, L.R. (ed.) EUROCRYPT 2002, Springer LNCS 2332, pp. 29---44 (2002)

Digital Library

[21]

Galbraith, S.D., Petit, C., Shani, B., Ti, Y.B.: On the security of supersingular isogeny cryptosystems. In: Cheon, J.-H., Takagi, T. (eds.) ASIACRYPT 2016, Springer LNCS 10031, pp. 63---91 (2016)

[22]

Galbraith, S.D., Petit, C., Silva, J.: Signature schemes based on supersingular isogeny problems. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017, Springer LNCS 10624, pp. 3---33 (2017)

[23]

Galbraith, S.D., Stolbunov, A.: Improved algorithm for the isogeny problem for ordinary elliptic curves. Appl. Algebra Eng. Commun. Comput. 24(2), 107---131 (2013)

[24]

Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.-Y. (ed.) PQCrypto 2011, Springer LNCS 7071, pp. 19---34 (2011)

Digital Library

[25]

Jao, D., Soukharev, V.: Isogeny-based quantum-resistant undeniable signatures. In: Mosca, M. (ed.) PQCrypto 2014, Springer LNCS 8772, pp. 160---179 (2014)

[26]

Kohel, D.: Endomorphism rings of elliptic curves over finite fields, Ph.D thesis, University of California, Berkeley (1996)

[27]

Kohel, D., Lauter, K., Petit, C., Tignol, J.-P.: On the quaternion $$\ell $$ℓ-isogeny path problem. LMS J. Comput. Math. 17A, 418---432 (2014)

[28]

Koziel, B., Jalali, A., Azarderakhsh, R., Jao, D., Mozaffari Kermani, M.: NEON-SIDH: efficient implementation of supersingular isogeny Diffie-Hellman key exchange protocol on ARM. In: Foresti, S., Persiano, G. (eds.), CANS 2016, Springer LNCS 10052, pp. 88---103 (2016)

[29]

Koziel, B., Azarderakhsh, R., Mozaffari Kermani, M., Jao, D.: Post-quantum cryptography on FPGA based on isogenies on elliptic curves. In: IEEE Transactions on Circuits and Systems, 64-I(1), 86---99 (2017)

[30]

Kuperberg, G.: A subexponential-time quantum algorithm for the dihedral hidden subgroup problem. SIAM J. Comput. 35(1), 170---188 (2005)

Digital Library

[31]

Petit, C.: Faster algorithms for isogeny problems using torsion point images. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017, Springer LNCS 10624, pp. 330---353 (2017)

[32]

Pizer, A.K.: Ramanujan graphs and Hecke operators. Bull. AMS 23(1), 127---137 (1990)

[33]

Pizer, A.K.: Ramanujan graphs. In: Buell, D.A., Teitelbaum, J.T. (eds), Computational Perspectives on Number Theory, AMS Studies in Advanced Mathematics, vol. 7, pp. 159---178 (1998)

[34]

Pohl, I.: Bi-directional and heuristic search in path problems, Technical Report 104. Stanford Linear Accelerator Center, Stanford, California (1969)

[35]

Regev, O.: A subexponential time algorithm for the dihedral hidden subgroup problem with polynomial space. arXiv:quant-ph/0406151 (2004)

[36]

Rostovtsev, A., Stolbunov, A.: Public-key cryptosystem based on isogenies. Cryptology ePrint Archive, Report 2006/145 (2006)

[37]

Roetteler, M., Naehrig, M., Svore, K.M., Lauter, K.: Quantum resource estimates for computing elliptic curve discrete logarithms. In: Takagi, T., Peyrin, T. (eds.), ASIACRYPT 2017 (2), Springer LNCS 10625, pp. 241---270 (2017)

[38]

Silverman, J.H.: The arithmetic of elliptic curves. Springer GTM 106. Springer, Berlin (1986)

[39]

Silverman, J.H., Tate, J.T.: Rational Points on Elliptic Curves, Springer Undergraduate Texts in Mathematics (1992)

[40]

Stolbunov, A.: Constructing public-key cryptographic schemes based on class group action on a set of isogenous elliptic curves. Adv. Math. Commun. 4(2), 215---235 (2010)

[41]

Sutherland, A.: Isogeny volcanoes. In: Howe, E.W., Kedlaya, K. (eds.), ANTS X, The Open Book Series, Mathematical Sciences Publishers, Berkeley, 1(1), 507---530 (2013)

[42]

Sutherland, A.: Elliptic Curves. Lecture notes from a course (18.783) at MIT, (2017). http://math.mit.edu/classes/18.783/2017/lectures

[43]

Tani, S.: Claw finding algorithms using quantum walk. Theor. Comput. Sci. 410, 5285---5297 (2009)

Digital Library

[44]

Thormarker, E.: Post-Quantum Cryptography: Supersingular Isogeny Diffie-Hellman Key Exchange. Thesis, Stockholm University (2017)

[45]

Vélu, J.: Isogénies entre courbes elliptiques. Commun. de l'Acad. Royale des Sci. de Paris 273, 238---241 (1971)

[46]

Voight, J.: Quaternion algebras (2017). https://math.dartmouth.edu/~jvoight/quat-book.pdf

[47]

Washington, L.C.: Elliptic Curves: Number Theory and Cryptography, 2nd edn. CRC Press, Boca Raton (2008)

Digital Library

[48]

Zhang, S.: Promised and distributed quantum search computing and combinatorics. In: Wang, L. (ed.), COCOON 2005, Springer LNCS 3595, pp. 430---439 (2005)

Cited By

Basso AMaino LPope G(2023)FESTA: Fast Encryption from Supersingular Torsion AttacksAdvances in Cryptology – ASIACRYPT 202310.1007/978-981-99-8739-9_4(98-126)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1007/978-981-99-8739-9_4
Castryck WDecru T(2023)An Efficient Key Recovery Attack on SIDHAdvances in Cryptology – EUROCRYPT 202310.1007/978-3-031-30589-4_15(423-447)Online publication date: 23-Apr-2023
https://dl.acm.org/doi/10.1007/978-3-031-30589-4_15
Campos FMeyer MReijnders KStöttinger M(2022)Patient Zero & Patient Six: Zero-Value and Correlation Attacks on CSIDH and SIKESelected Areas in Cryptography10.1007/978-3-031-58411-4_11(234-262)Online publication date: 24-Aug-2022
https://dl.acm.org/doi/10.1007/978-3-031-58411-4_11
Show More Cited By

Index Terms

Computational problems in supersingular elliptic curve isogenies

Index terms have been assigned to the content through auto-classification.

Recommendations

Supersingular Elliptic Curve Isogeny Graphs
Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies
PQCrypto'11: Proceedings of the 4th international conference on Post-Quantum Cryptography

We present new candidates for quantum-resistant public-key cryptosystems based on the conjectured difficulty of finding isogenies between supersingular elliptic curves. The main technical idea in our scheme is that we transmit the images of torsion ...
Optimizing the evaluation of ℓ-isogenous curve for isogeny-based cryptography
Abstract
In ASIACRYPT 2017, Costello and Hisil proposed two methods of evaluating ℓ-isogenous curves: the usage of Vélu formulas and the recovery from special isogenous points. In isogeny-based cryptography, such as the supersingular isogeny ...
Highlights
- The evaluation of l-isogenous curve with certain points is recommended for faster isogeny based cryptography.

Comments

Information & Contributors

Information

Published In

cover image Quantum Information Processing

Quantum Information Processing Volume 17, Issue 10

Oct 2018

640 pages

ISSN:1570-0755

Issue’s Table of Contents

Copyright © Copyright © 2018 Springer Science+Business Media, LLC, part of Springer Nature.

Publisher

Kluwer Academic Publishers

United States

Publication History

Published: 01 October 2018

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

13
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 08 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Basso AMaino LPope G(2023)FESTA: Fast Encryption from Supersingular Torsion AttacksAdvances in Cryptology – ASIACRYPT 202310.1007/978-981-99-8739-9_4(98-126)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1007/978-981-99-8739-9_4
Castryck WDecru T(2023)An Efficient Key Recovery Attack on SIDHAdvances in Cryptology – EUROCRYPT 202310.1007/978-3-031-30589-4_15(423-447)Online publication date: 23-Apr-2023
https://dl.acm.org/doi/10.1007/978-3-031-30589-4_15
Campos FMeyer MReijnders KStöttinger M(2022)Patient Zero & Patient Six: Zero-Value and Correlation Attacks on CSIDH and SIKESelected Areas in Cryptography10.1007/978-3-031-58411-4_11(234-262)Online publication date: 24-Aug-2022
https://dl.acm.org/doi/10.1007/978-3-031-58411-4_11
Prabowo TTan C(2022)Provably Secure Password-Authenticated Key Exchange Based on SIDHInformation Security Applications10.1007/978-3-031-25659-2_2(16-28)Online publication date: 24-Aug-2022
https://dl.acm.org/doi/10.1007/978-3-031-25659-2_2
De Feo LDobson SGalbraith SZobernig L(2022)SIDH Proof of KnowledgeAdvances in Cryptology – ASIACRYPT 202210.1007/978-3-031-22966-4_11(310-339)Online publication date: 5-Dec-2022
https://dl.acm.org/doi/10.1007/978-3-031-22966-4_11
Burdges JDe Feo L(2021)Delay EncryptionAdvances in Cryptology – EUROCRYPT 202110.1007/978-3-030-77870-5_11(302-326)Online publication date: 17-Oct-2021
https://dl.acm.org/doi/10.1007/978-3-030-77870-5_11
Ikematsu YFukasaku RKudo MYasuda MTakashima KYokoyama KEmura KYanai N(2020)Hybrid Meet-in-the-Middle Attacks for the Isogeny Path-Finding ProblemProceedings of the 7th ACM Workshop on ASIA Public-Key Cryptography10.1145/3384940.3388956(36-44)Online publication date: 5-Oct-2020
https://dl.acm.org/doi/10.1145/3384940.3388956
Kawashima TTakashima KAikawa YTakagi T(2020)An Efficient Authenticated Key Exchange from Random Self-reducibility on CSIDHInformation Security and Cryptology – ICISC 202010.1007/978-3-030-68890-5_4(58-84)Online publication date: 2-Dec-2020
https://dl.acm.org/doi/10.1007/978-3-030-68890-5_4
de Saint Guilhem COrsini EPetit CSmart N(2020)Semi-commutative Masking: A Framework for Isogeny-Based Protocols, with an Application to Fully Secure Two-Round Isogeny-Based OTCryptology and Network Security10.1007/978-3-030-65411-5_12(235-258)Online publication date: 14-Dec-2020
https://dl.acm.org/doi/10.1007/978-3-030-65411-5_12
Boneh DKogan DWoo K(2020)Oblivious Pseudorandom Functions from IsogeniesAdvances in Cryptology – ASIACRYPT 202010.1007/978-3-030-64834-3_18(520-550)Online publication date: 7-Dec-2020
https://dl.acm.org/doi/10.1007/978-3-030-64834-3_18
Show More Cited By

View Options

View options

Figures

Tables

Media

View Issue’s Table of Contents