# Computational problems in supersingular elliptic curve isogenies

@article{Galbraith2017ComputationalPI, title={Computational problems in supersingular elliptic curve isogenies}, author={Steven D. Galbraith and Frederik Vercauteren}, journal={Quantum Information Processing}, year={2017}, volume={17}, pages={1-22} }

We present an overview of supersingular isogeny cryptography and how it fits into the broad theme of post-quantum public-key crypto. The paper also gives a brief tutorial of elliptic curve isogenies and the computational problems relevant for supersingular isogeny crypto. Supersingular isogeny crypto is attracting attention due to the fact that the best attacks, both classical and quantum, require exponential time. However, the underlying computational problems have not been sufficiently…

## 50 Citations

Supersingular Isogeny-based Cryptography: A Survey

- Computer Science, MathematicsInterdisciplinary Information Sciences
- 2021

This survey describes one of the most promising approaches to post-quantum cryptography: cryptosystems based on supersingular isogenies and discusses the most important protocols that have been proposed in recent years, starting with the so-called Supersingular Isogeny Diﬃe–Hellman.

Isogenies for Post-Quantum Cryptography

- Computer Science, Mathematics
- 2018

An optimized and efficient software implementation of SIDH key exchange in Rust is provided, and its performance is compared with the currently available state-of-the-art implementations to assess its practicality.

Constructing Canonical Strategies for Parallel Implementation of Isogeny Based Cryptography

- Computer Science, MathematicsINDOCRYPT
- 2018

This paper presents several recursive formulation of canonical strategies and their cost under the Per-Curve Parallelization (PCP) model, and shows how to construct the best (optimal) strategies under the PCP model.

A subexponential-time, polynomial quantum space algorithm for inverting the CM group action

- Mathematics, Computer ScienceJ. Math. Cryptol.
- 2020

A quantum algorithm which computes group action inverses of the complex multiplication group action on isogenous ordinary elliptic curves, using subexponential time, but only polynomial quantum space, is presented, believed to be the first such result.

CSIDH: An Efficient Post-Quantum Commutative Group Action

- Mathematics, Computer ScienceIACR Cryptol. ePrint Arch.
- 2018

The Diffie–Hellman scheme resulting from the group action allows for public-key validation at very little cost, runs reasonably fast in practice, and has public keys of only 64 bytes at a conjectured AES-128 security level, matching NIST’s post-quantum security category I.

Quantum Security Analysis of CSIDH and Ordinary Isogeny-based Schemes

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2018

It is shown that those security parameters proposed for CSIDH were too optimistic, and an instance proposed by De Feo, Kieﬀer and Smith and expected to break 56 bits of quantum security can be broken in 2 38 quantum evaluations of a key exchange, making the attack more costly.

Hybrid Meet-in-the-Middle Attacks for the Isogeny Path-Finding Problem

- Computer Science, MathematicsAPKC@AsiaCCS
- 2020

This paper proposes hybrid approaches of MITM for solving the isogeny path-finding problem by building part of trees of isogenies in a conventional way and then searching a pair of isogenous curves of prime power degree by the algebraic approach using modular polynomials, proposed by Takahashi et al.

SoK: The Problem Landscape of SIDH

- Mathematics, Computer ScienceIACR Cryptol. ePrint Arch.
- 2018

There is a rich network of reductions between the isogeny problems securing the private keys of the participants in the SIDH protocol, the computational and decisional SIDh problems, and the problem of validating SidH public keys.

The Security of All Private-key Bits in Isogeny-based Schemes

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2019

The Review On Elliptic Curves as Cryptographic Pairing Groups

- Mathematics, Computer Science
- 2021

The purpose of this paper is to introduce elliptic curve, bilinear pairings on elliptic curves as based on pairing cryptography as a basis in guiding anyone interested to understand one of the applications of group theory in cryptosystem.

## References

SHOWING 1-10 OF 73 REFERENCES

Constructing elliptic curve isogenies in quantum subexponential time

- Computer Science, MathematicsJ. Math. Cryptol.
- 2014

This work gives a new subexponential-time quantum algorithm for constructing nonzero isogenies between two such elliptic curves, assuming the Generalized Riemann Hypothesis (but with no other assumptions).

Signature Schemes Based On Supersingular Isogeny Problems

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2016

The first signature schemes whose security relies on computational assumptions relating to isogeny graphs of supersingular elliptic curves and which lead to signatures that are existentially unforgeable under chosen message attacks are presented.

Public-Key Cryptosystem Based on Isogenies

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2006

The paper describes theoretical background and a publickey encryption technique, followed by security analysis and consideration of cryptosystem parameters selection, and proposes ElGamal public-key encryption and Diffie-Hellman key agreement for an isogeny Cryptosystem.

A Quantum Algorithm for Computing Isogenies between Supersingular Elliptic Curves

- Computer Science, MathematicsINDOCRYPT
- 2014

A quantum algorithm for computing an isogeny between any two supersingular elliptic curves defined over a given finite field that is an asymptotic improvement over the previous fastest known method which had complexity \(\tilde{O}(p^{1/2})\) (on both classical and quantum computers).

On the Security of Supersingular Isogeny Cryptosystems

- Computer Science, MathematicsASIACRYPT
- 2016

This work gives a very powerful active attack on the supersingular isogeny encryption scheme, and shows that the security of all schemes of this type depends on the difficulty of computing the endomorphism ring of asupersingular elliptic curve.

Constructing Isogenies between Elliptic Curves Over Finite Fields

- Mathematics, Computer Science
- 1999

The goal of this paper is to describe a probabilistic algorithm for constructing an isogeny over a finite field Fp that is efficient in certain situations (that is, when the class number of the endomorphism ring is small).

Computing isogenies between supersingular elliptic curves over F_p

- Mathematics, Computer Science
- 2013

This paper gives an algorithm to construct isogenies between such supersingular elliptic curves that works faster than the usual algorithm and discusses how this results can be used to obtain an improved algorithm for the general supersingularity isogeny problem.

On the Hardness of Computing Endomorphism Rings of Supersingular Elliptic Curves

- Mathematics, Computer ScienceIACR Cryptol. ePrint Arch.
- 2017

It is shown that computing `-power isogenies reduces to computing maximal orders and Action-on-`-Torsion, and the notion of a compact representation of an endomorphism is defined, which allows the potential to use algebraic tools in quaternion algebras to solve the problems.

A Post-quantum Digital Signature Scheme Based on Supersingular Isogenies

- Computer Science, MathematicsFinancial Cryptography
- 2017

This scheme is an application of Unruh’s construction of non-interactive zero- knowledge proofs to an interactive zero-knowledge proof proposed by De Feo, Jao, and Plut.

Improved algorithm for the isogeny problem for ordinary elliptic curves

- Computer Science, MathematicsApplicable Algebra in Engineering, Communication and Computing
- 2013

An improvement of this algorithm is given by modifying the pseudorandom walk so that lower-degree isogenies are used more frequently, and it is concluded that the algorithm is around $$14$$ times faster than the GHS algorithm when constructing horizontal isogenie between random isogenous elliptic curves over a $$160$$-bit prime field.