Abstract
The Isogeny to Endomorphism Ring Problem (IsERP) asks to compute the endomorphism ring of the codomain of an isogeny between supersingular curves in characteristic p given only a representation for this isogeny, i.e. some data and an algorithm to evaluate this isogeny on any torsion point. This problem plays a central role in isogeny-based cryptography; it underlies the security of pSIDH protocol (ASIACRYPT 2022) and it is at the heart of the recent attacks that broke the SIDH key exchange. Prior to this work, no efficient algorithm was known to solve IsERP for a generic isogeny degree, the hardest case seemingly when the degree is prime.
In this paper, we introduce a new quantum polynomial-time algorithm to solve IsERP for isogenies whose degrees are odd and have \(O(\log \log p)\) many prime factors. As main technical tools, our algorithm uses a quantum algorithm for computing hidden Borel subgroups, a group action on supersingular isogenies from EUROCRYPT 2021, various algorithms for the Deuring correspondence and a new algorithm to lift arbitrary quaternion order elements modulo an odd integer N with \(O(\log \log p)\) many prime factors to powersmooth elements.
As a main consequence for cryptography, we obtain a quantum polynomial-time key recovery attack on pSIDH. The technical tools we use may also be of independent interest.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Boneh, D., Lipton, R.J.: Quantum cryptanalysis of hidden linear functions. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 424–437. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-44750-4_34
Castryck, W., Decru, T.: An efficient key recovery attack on SIDH. In: Hazay, C., Stam, M. (eds.) Advances in Cryptology – EUROCRYPT 2023: 42nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Lyon, 23–27 April 2023, Proceedings, Part V, pp. 423–447. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-30589-4_15
Chen, M., Imran, M., Ivanyos, G., Kutas, P., Leroux, A., Petit, C.: Hidden stabilizers, the isogeny to endomorphism ring problem and the cryptanalysis of Psidh. Cryptology ePrint Archive, Paper 2023/779 (2023). https://eprint.iacr.org/2023/779
Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J.: CSIDH: an efficient post-quantum commutative group action. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11274, pp. 395–427. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03332-3_15
Cohen, H.: A Course in Computational Algebraic Number Theory. Springer, Heidelberg (1995)
Couveignes, J.-M.: Hard Homogeneous Spaces (1999). https://eprint.iacr.org/2006/291
Childs, A.M., Dam, W.V.: Quantum algorithm for a generalized hidden shift problem. arXiv preprint arXiv:quant-ph/0507190 (2005)
Feo, L.D., et al.: Scallop: Scaling the CSI-Fish. PKC (2023)
De Feo, L., Kohel, D., Leroux, A., Petit, C., Wesolowski, B.: SQISign: compact post-quantum signatures from quaternions and isogenies. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12491, pp. 64–93. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64837-4_3
Drozd, Y.A., Kirichenko, V.V.: Finite Dimensional Algebras. Springer (2012)
Denney, A., Moore, C., Russell, A.: Finding conjugate stabilizer subgroups in PSL and related groups. Quantum Inf. Comput. 10, 282–291 (2010)
Ettinger, M., Høyer, P.: On quantum algorithms for noncommutative hidden subgroups. Adv. Appl. Math. 25(3), 239–251 (2000)
Eisenträger, K., Hallgren, S., Lauter, K., Morrison, T., Petit, C.: Supersingular isogeny graphs and endomorphism rings: reductions and solutions. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 329–368. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_11
Fouotsa, T.B., Moriya, T., Petit, C.: M-SIDH and MD-SIDH: countering SIDH attacks by masking information. In: Hazay, C., Stam, M. (eds.) Advances in Cryptology – EUROCRYPT 2023: 42nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Lyon, 23–27 April 2023, Proceedings, Part V, pp. 282–309. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-30589-4_10
Pqlp-prime github repository (2023). https://github.com/pqcisogeny/PQLP_prime.git
Ivanyos, G., Prakash, A., Santha, M.: On learning linear functions from subset and its applications in quantum computing. In: Azar, Y., Bast, H., Herman, G. (eds.) 26th Annual European Symposium on Algorithms (ESA 2018), volume 112 of Leibniz International Proceedings in Informatics (LIPIcs), Dagstuhl, pp. 66:1–66:14. Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik (2018)
Ivanyos, G.: Finding hidden Borel subgroups of the general linear group. Quantum Inf. Comput. 12(7–8), 661–669 (2012)
Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 19–34. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25405-5_2
Yu Kitaev, A.: Quantum measurements and the abelian stabilizer problem. arXiv preprint arXiv:quant-ph/9511026 (1995)
Kohel, D., Lauter, K., Petit, C., Tignol, J.-P.: On the quaternion \(\ell \)-isogeny path problem. LMS J. Comput. Math. 17(A), 418–432 (2014)
Kutas, P., Merz, S.-P., Petit, C., Weitkämper, C.: One-way functions and malleability oracles: hidden shift attacks on isogeny-based protocols. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12696, pp. 242–271. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77870-5_9
Kohel, D.R.: Endomorphism rings of elliptic curves over finite fields. Ph.D. thesis, University of California, Berkeley (1996)
Kuperberg, G.: A subexponential-time quantum algorithm for the dihedral hidden subgroup problem. SIAM J. Comput. 35(1), 170–188 (2005)
Leroux, A.: A new isogeny representation and applications to cryptography. In: Agrawal, S., Lin, D. (eds.) Advances in Cryptology – ASIACRYPT 2022: 28th International Conference on the Theory and Application of Cryptology and Information Security, Taipei, 5–9 December 2022, Proceedings, Part II, pp. 3–35. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-22966-4_1
Leroux, A.: Quaternion Algebra and isogeny-based cryptography. Ph.D. thesis, Ecole doctorale de l’Institut Polytechnique de Paris (2022)
Maino, L., Martindale, C.: An attack on Sidh with arbitrary starting curve. Cryptology ePrint Archive (2022)
Petit, C.: Faster algorithms for isogeny problems using torsion point images. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 330–353. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70697-9_12
Petit, C., Lauter, K.: Hard and easy problems for supersingular isogeny graphs. Cryptology ePrint Archive, Report 2017/962 (2017). https://eprint.iacr.org/2017/962
Petit, C., Lauter, K., Quisquater, J.-J.: Full cryptanalysis of LPS and morgenstern hash functions. In: Ostrovsky, R., De Prisco, R., Visconti, I. (eds.) SCN 2008. LNCS, vol. 5229, pp. 263–277. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85855-3_18
de Quehen, V., et al.: Improved Torsion-point attacks on SIDH variants. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12827, pp. 432–470. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84252-9_15
Robert, D.: Evaluating isogenies in polylogarithmic time. Cryptology ePrint Archive (2022)
Rónyai, L.: Computing the structure of finite algebras. J. Symb. Comput. 9(3), 355–373 (1990)
Rostovtsev, A., Stolbunov, A.: Public-key cryptosystem based on isogenies. IACR Cryptol. ePrint Arch. 2006, 145 (2006)
Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997)
Silverman, J.H.: The arithmetic of elliptic curves, vol. 106. Springer (2009)
The Sage Developers. SageMath, the Sage Mathematics Software System (Version 9.4) (2022). https://www.sagemath.org
Voight, J.: Quaternion algebras. Preprint 13, 23–24 (2018)
Waterhouse, W.C.: Abelian varieties over finite fields. In: Annales scientifiques de l’École Normale Supérieure, vol. 2, pp. 521–560 (1969)
Wesolowski, B.: The supersingular isogeny path and endomorphism ring problems are equivalent. Cryptology ePrint Archive, Report 2021/919 (2021). https://ia.cr/2021/919
Acknowledgements
Gábor Ivanyos is supported in part by the Hungarian Ministry of Innovation and Technology NRDI Office within the framework of the Artificial Intelligence National Laboratory Program. Péter Kutas is supported by the Hungarian Ministry of Innovation and Technology NRDI Office within the framework of the Quantum Information National Laboratory Program, the J’anos Bolyai Research Scholarship of the Hungarian Academy of Sciences and by the UNKP-22-5 New National Excellence Program. Mingjie Chen, Péter Kutas and Christophe Petit are partly supported by EPSRC through grant number EP/V011324/1.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Chen, M., Imran, M., Ivanyos, G., Kutas, P., Leroux, A., Petit, C. (2023). Hidden Stabilizers, the Isogeny to Endomorphism Ring Problem and the Cryptanalysis of pSIDH. In: Guo, J., Steinfeld, R. (eds) Advances in Cryptology – ASIACRYPT 2023. ASIACRYPT 2023. Lecture Notes in Computer Science, vol 14440. Springer, Singapore. https://doi.org/10.1007/978-981-99-8727-6_4
Download citation
DOI: https://doi.org/10.1007/978-981-99-8727-6_4
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-8726-9
Online ISBN: 978-981-99-8727-6
eBook Packages: Computer ScienceComputer Science (R0)