The supersingular isogeny problem in genus 2 and beyond

Let \(A/\overline{\mathbb {F}}_p\) and \(A'/\overline{\mathbb {F}}_p\) be superspecial principally polarized abelian varieties of dimension \(g>1\). For any prime \(\ell \ne p\), we give an algorithm that finds a path \(\phi :A \rightarrow A'\) in the \((\ell , \dots , \ell )\)-isogeny graph in \(\widetilde{O}(p^{g-1})\) group operations on a classical computer, and \(\widetilde{O}(\sqrt{p^{g-1}})\) calls to the Grover oracle on a quantum computer. The idea is to find paths from A and \(A'\) to nodes that correspond to products of lower dimensional abelian varieties, and to recurse down in dimension until an elliptic path-finding algorithm (such as Delfs–Galbraith) can be invoked to connect the paths in dimension \(g=1\). In the general case where A and \(A'\) are any two nodes in the graph, this algorithm presents an asymptotic improvement over all of the algorithms in the current literature. In the special case where A and \(A'\) are a known and relatively small number of steps away from each other (as is the case in higher dimensional analogues of SIDH), it gives an asymptotic improvement over the quantum claw finding algorithms and an asymptotic improvement over the classical van Oorschot–Wiener algorithm.

[1]  Kristin E. Lauter,et al.  Cryptographic Hash Functions from Expander Graphs , 2008, Journal of Cryptology.

[2]  Damien Robert,et al.  Cyclic Isogenies for Abelian Varieties with Real Multiplication , 2017, Moscow Mathematical Journal.

[3]  Kristin E. Lauter,et al.  Supersingular Isogeny Graphs and Endomorphism Rings: Reductions and Solutions , 2018, EUROCRYPT.

[4]  Samuel Jaques,et al.  Quantum cryptanalysis in the RAM model: Claw-finding attacks on SIKE , 2019, IACR Cryptol. ePrint Arch..

[5]  Seiichiro Tani,et al.  Claw finding algorithms using quantum walk , 2007, Theor. Comput. Sci..

[6]  Katsuyuki Takashima,et al.  Efficient Algorithms for Isogeny Sequences and Their Cryptographic Applications , 2017, CREST Crypto-Math Project.

[7]  Lov K. Grover A fast quantum mechanical algorithm for database search , 1996, STOC '96.

[8]  Tsuyoshi Takagi,et al.  Mathematical Modelling for Next-Generation Cryptography: CREST Crypto-Math Project , 2017, CREST Crypto-Math Project.

[9]  Francisco Rodríguez-Henríquez,et al.  On the cost of computing isogenies between supersingular elliptic curves , 2018, IACR Cryptol. ePrint Arch..

[10]  Wouter Castryck,et al.  Hash functions from superspecial genus-2 curves using Richelot isogenies , 2019, IACR Cryptol. ePrint Arch..

[11]  Benjamin A. Smith,et al.  Explicit endomorphisms and Correspondences , 2006, Bulletin of the Australian Mathematical Society.

[12]  Christophe Petit,et al.  Faster Algorithms for Isogeny Problems Using Torsion Point Images , 2017, ASIACRYPT.

[13]  Craig Costello Computing supersingular isogenies on Kummer surfaces , 2018, IACR Cryptol. ePrint Arch..

[14]  David Jao,et al.  Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies , 2011, J. Math. Cryptol..

[15]  David Lubicz,et al.  Arithmetic on abelian and Kummer varieties , 2016, Finite Fields Their Appl..

[16]  Luca De Feo,et al.  Verifiable Delay Functions from Supersingular Isogenies and Pairings , 2019, IACR Cryptol. ePrint Arch..

[17]  N. Linial,et al.  Expander Graphs and their Applications , 2006 .

[18]  Pierrick Gaudry,et al.  Index calculus for abelian varieties of small dimension and the elliptic curve discrete logarithm problem , 2009, J. Symb. Comput..

[19]  Tanja Lange,et al.  CSIDH: An Efficient Post-Quantum Commutative Group Action , 2018, IACR Cryptol. ePrint Arch..

[20]  Benjamin A. Smith Isogenies and the Discrete Logarithm Problem in Jacobians of Genus 3 Hyperelliptic Curves, , 2008, Journal of Cryptology.

[21]  Steven D. Galbraith,et al.  Computing isogenies between supersingular elliptic curves over F_p , 2013 .

[22]  Steven D. Galbraith,et al.  Computing isogenies between supersingular elliptic curves over Fp\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${\mat , 2013, Designs, Codes and Cryptography.

[23]  Marc-Hubert Nicole Superspecial abelian varieties, theta series and the Jacquet-Langlands correspondence , 2005 .

[24]  David Jao,et al.  A Quantum Algorithm for Computing Isogenies between Supersingular Elliptic Curves , 2014, INDOCRYPT.

[25]  Torsten Ekedahl,et al.  On supersingular curves and Abelian varieties. , 1987 .

[26]  Paul C. van Oorschot,et al.  Parallel Collision Search with Cryptanalytic Applications , 2013, Journal of Cryptology.

[27]  A. Pizer Ramanujan graphs and Hecke operators , 1990 .

[28]  Denis X. Charles,et al.  Families of Ramanujan Graphs and Quaternion Algebras , 2007 .

[29]  E. V. Flynn,et al.  Prolegomena to a Middlebrow Arithmetic of Curves of Genus 2: Index rerum et personarum , 1996 .

[30]  David Jao,et al.  Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies , 2014, J. Math. Cryptol..

[31]  Nicolas Thériault,et al.  A double large prime variation for small genus hyperelliptic index calculus , 2004, Math. Comput..

[32]  E. Victor Flynn,et al.  Genus Two Isogeny Cryptography , 2019, IACR Cryptol. ePrint Arch..

[33]  Steven D. Galbraith,et al.  SeaSign: Compact isogeny signatures from class group actions , 2019, IACR Cryptol. ePrint Arch..

[34]  Kristin E. Lauter,et al.  On the quaternion -isogeny path problem , 2014, LMS J. Comput. Math..

[35]  Andrew V. Sutherland Identifying supersingular elliptic curves , 2011, 1107.1140.

[36]  Claus Diem,et al.  An Index Calculus Algorithm for Plane Curves of Small Degree , 2006, ANTS.

[37]  Steven D. Galbraith,et al.  Identification Protocols and Signature Schemes Based on Supersingular Isogeny Problems , 2017, ASIACRYPT.

[38]  Steven D. Galbraith,et al.  On the Security of Supersingular Isogeny Cryptosystems , 2016, ASIACRYPT.

[39]  Gilles Brassard,et al.  Tight bounds on quantum searching , 1996, quant-ph/9605034.