Computational problems in supersingular elliptic curve isogenies

@article{Galbraith2017ComputationalPI,
  title={Computational problems in supersingular elliptic curve isogenies},
  author={Steven D. Galbraith and Frederik Vercauteren},
  journal={Quantum Information Processing},
  year={2017},
  volume={17},
  pages={1-22}
}
We present an overview of supersingular isogeny cryptography and how it fits into the broad theme of post-quantum public-key crypto. The paper also gives a brief tutorial of elliptic curve isogenies and the computational problems relevant for supersingular isogeny crypto. Supersingular isogeny crypto is attracting attention due to the fact that the best attacks, both classical and quantum, require exponential time. However, the underlying computational problems have not been sufficiently… 
Supersingular Isogeny-based Cryptography: A Survey
TLDR
This survey describes one of the most promising approaches to post-quantum cryptography: cryptosystems based on supersingular isogenies and discusses the most important protocols that have been proposed in recent years, starting with the so-called Supersingular Isogeny Diffie–Hellman.
Isogenies for Post-Quantum Cryptography
  • Computer Science, Mathematics
  • 2018
TLDR
An optimized and efficient software implementation of SIDH key exchange in Rust is provided, and its performance is compared with the currently available state-of-the-art implementations to assess its practicality.
Constructing Canonical Strategies for Parallel Implementation of Isogeny Based Cryptography
TLDR
This paper presents several recursive formulation of canonical strategies and their cost under the Per-Curve Parallelization (PCP) model, and shows how to construct the best (optimal) strategies under the PCP model.
A subexponential-time, polynomial quantum space algorithm for inverting the CM group action
TLDR
A quantum algorithm which computes group action inverses of the complex multiplication group action on isogenous ordinary elliptic curves, using subexponential time, but only polynomial quantum space, is presented, believed to be the first such result.
CSIDH: An Efficient Post-Quantum Commutative Group Action
TLDR
The Diffie–Hellman scheme resulting from the group action allows for public-key validation at very little cost, runs reasonably fast in practice, and has public keys of only 64 bytes at a conjectured AES-128 security level, matching NIST’s post-quantum security category I.
Quantum Security Analysis of CSIDH and Ordinary Isogeny-based Schemes
TLDR
It is shown that those security parameters proposed for CSIDH were too optimistic, and an instance proposed by De Feo, Kieffer and Smith and expected to break 56 bits of quantum security can be broken in 2 38 quantum evaluations of a key exchange, making the attack more costly.
Hybrid Meet-in-the-Middle Attacks for the Isogeny Path-Finding Problem
TLDR
This paper proposes hybrid approaches of MITM for solving the isogeny path-finding problem by building part of trees of isogenies in a conventional way and then searching a pair of isogenous curves of prime power degree by the algebraic approach using modular polynomials, proposed by Takahashi et al.
SoK: The Problem Landscape of SIDH
TLDR
There is a rich network of reductions between the isogeny problems securing the private keys of the participants in the SIDH protocol, the computational and decisional SIDh problems, and the problem of validating SidH public keys.
The Security of All Private-key Bits in Isogeny-based Schemes
  • Barak Shani
  • Computer Science, Mathematics
    IACR Cryptol. ePrint Arch.
  • 2019
The Review On Elliptic Curves as Cryptographic Pairing Groups
TLDR
The purpose of this paper is to introduce elliptic curve, bilinear pairings on elliptic curves as based on pairing cryptography as a basis in guiding anyone interested to understand one of the applications of group theory in cryptosystem.
...
...

References

SHOWING 1-10 OF 73 REFERENCES
Constructing elliptic curve isogenies in quantum subexponential time
TLDR
This work gives a new subexponential-time quantum algorithm for constructing nonzero isogenies between two such elliptic curves, assuming the Generalized Riemann Hypothesis (but with no other assumptions).
Signature Schemes Based On Supersingular Isogeny Problems
TLDR
The first signature schemes whose security relies on computational assumptions relating to isogeny graphs of supersingular elliptic curves and which lead to signatures that are existentially unforgeable under chosen message attacks are presented.
Public-Key Cryptosystem Based on Isogenies
TLDR
The paper describes theoretical background and a publickey encryption technique, followed by security analysis and consideration of cryptosystem parameters selection, and proposes ElGamal public-key encryption and Diffie-Hellman key agreement for an isogeny Cryptosystem.
A Quantum Algorithm for Computing Isogenies between Supersingular Elliptic Curves
TLDR
A quantum algorithm for computing an isogeny between any two supersingular elliptic curves defined over a given finite field that is an asymptotic improvement over the previous fastest known method which had complexity \(\tilde{O}(p^{1/2})\) (on both classical and quantum computers).
On the Security of Supersingular Isogeny Cryptosystems
TLDR
This work gives a very powerful active attack on the supersingular isogeny encryption scheme, and shows that the security of all schemes of this type depends on the difficulty of computing the endomorphism ring of asupersingular elliptic curve.
Constructing Isogenies between Elliptic Curves Over Finite Fields
TLDR
The goal of this paper is to describe a probabilistic algorithm for constructing an isogeny over a finite field Fp that is efficient in certain situations (that is, when the class number of the endomorphism ring is small).
Computing isogenies between supersingular elliptic curves over F_p
TLDR
This paper gives an algorithm to construct isogenies between such supersingular elliptic curves that works faster than the usual algorithm and discusses how this results can be used to obtain an improved algorithm for the general supersingularity isogeny problem.
On the Hardness of Computing Endomorphism Rings of Supersingular Elliptic Curves
TLDR
It is shown that computing `-power isogenies reduces to computing maximal orders and Action-on-`-Torsion, and the notion of a compact representation of an endomorphism is defined, which allows the potential to use algebraic tools in quaternion algebras to solve the problems.
A Post-quantum Digital Signature Scheme Based on Supersingular Isogenies
TLDR
This scheme is an application of Unruh’s construction of non-interactive zero- knowledge proofs to an interactive zero-knowledge proof proposed by De Feo, Jao, and Plut.
Improved algorithm for the isogeny problem for ordinary elliptic curves
  • S. GalbraithA. Stolbunov
  • Computer Science, Mathematics
    Applicable Algebra in Engineering, Communication and Computing
  • 2013
TLDR
An improvement of this algorithm is given by modifying the pseudorandom walk so that lower-degree isogenies are used more frequently, and it is concluded that the algorithm is around $$14$$ times faster than the GHS algorithm when constructing horizontal isogenie between random isogenous elliptic curves over a $$160$$-bit prime field.
...
...