8 research outputs found
Genus Two Isogeny Cryptography
We study -isogeny graphs of principally polarised supersingular abelian surfaces (PPSSAS). The -isogeny graph has cycles of small length that can be used to break the collision resistance assumption of the genus two isogeny hash function suggested by Takashima. Algorithms for computing -isogenies on the level of Jacobians and -isogenies on the level of Kummers are used to develop a genus two version of the supersingular isogeny Diffie--Hellman protocol of Jao and de~Feo. The genus two isogeny Diffie--Hellman protocol achieves the same level of security as SIDH but uses a prime with a third of the bit length
Computation of Hilbert class polynomials and modular polynomials from supersingular elliptic curves
We present several new heuristic algorithms to compute class polynomials and
modular polynomials modulo a prime . For that, we revisit the idea of
working with supersingular elliptic curves. The best known algorithms to this
date are based on ordinary curves, due to the supposed inefficiency of the
supersingular case. While this was true a decade ago, it is not anymore due to
the recent advances in the study of supersingular curves. Our main ingredients
are two new heuristic algorithms to compute the -invariants of supersingular
curves having an endomorphism ring contained in some set of isomorphism class
of maximal orders
Hidden Stabilizers, the Isogeny To Endomorphism Ring Problem and the Cryptanalysis of pSIDH
The Isogeny to Endomorphism Ring Problem (IsERP) asks to compute the
endomorphism ring of the codomain of an isogeny between supersingular curves in
characteristic given only a representation for this isogeny, i.e. some data
and an algorithm to evaluate this isogeny on any torsion point. This problem
plays a central role in isogeny-based cryptography; it underlies the security
of pSIDH protocol (ASIACRYPT 2022) and it is at the heart of the recent attacks
that broke the SIDH key exchange. Prior to this work, no efficient algorithm
was known to solve IsERP for a generic isogeny degree, the hardest case
seemingly when the degree is prime.
In this paper, we introduce a new quantum polynomial-time algorithm to solve
IsERP for isogenies whose degrees are odd and have many prime
factors. As main technical tools, our algorithm uses a quantum algorithm for
computing hidden Borel subgroups, a group action on supersingular isogenies
from EUROCRYPT 2021, various algorithms for the Deuring correspondence and a
new algorithm to lift arbitrary quaternion order elements modulo an odd integer
with many prime factors to powersmooth elements.
As a main consequence for cryptography, we obtain a quantum polynomial-time
key recovery attack on pSIDH. The technical tools we use may also be of
independent interest
Faster computation of isogenies of large prime degree
International audienceLet be an elliptic curve, and a point in of prime order .Vélu's formulae let us compute a quotient curve and rational maps defining a quotient isogeny in -operations, where the is uniform in .This article shows how to compute , and for in , using only -operations, where the is again uniform in .As an application, this article speeds up some computations used in the isogeny-based cryptosystems CSIDH and CSURF
Hidden Stabilizers, the Isogeny To Endomorphism Ring Problem and the Cryptanalysis of pSIDH
The Isogeny to Endomorphism Ring Problem (IsERP) asks to compute the endomorphism ring of the codomain of an isogeny between supersingular curves in characteristic given only a representation for this isogeny, i.e. some data and an algorithm to evaluate this isogeny on any torsion point. This problem plays a central role in isogeny-based cryptography; it underlies the security of
pSIDH protocol (ASIACRYPT 2022) and it is at the heart of the recent attacks that broke the SIDH key exchange. Prior to this work, no efficient algorithm was known to solve IsERP for a generic isogeny degree, the hardest case seemingly when the degree is prime.
In this paper, we introduce a new quantum polynomial-time algorithm to solve IsERP for isogenies whose degrees are odd and have many prime factors. As main technical tools, our algorithm uses a quantum algorithm for computing hidden Borel subgroups, a group action on supersingular isogenies from EUROCRYPT 2021, various algorithms for the Deuring correspondence and a new algorithm to lift arbitrary quaternion order elements modulo an odd integer with many prime factors to powersmooth elements.
As a main consequence for cryptography, we obtain a quantum polynomial-time key recovery attack on pSIDH. The technical tools we use may also be of independent interest