Constructing elliptic curve isogenies in quantum subexponential time

Abstract. Given two ordinary elliptic curves over a finite field having the same cardinality and endomorphism ring, it is known that the curves admit a nonzero isogeny between them, but finding such an isogeny is believed to be computationally difficult. The fastest known classical algorithm takes exponential time, and prior to our work no faster quantum algorithm was known. Recently, public-key cryptosystems based on the presumed hardness of this problem have been proposed as candidates for post-quantum cryptography. In this paper, we give a new subexponential-time quantum algorithm for constructing nonzero isogenies between two such elliptic curves, assuming the Generalized Riemann Hypothesis (but with no other assumptions). Our algorithm is based on a reduction to a hidden shift problem, and represents the first nontrivial application of Kuperberg's quantum algorithm for finding hidden shifts. This result suggests that isogeny-based cryptosystems may be uncompetitive with more mainstream quantum-resistant cryptosystems such as lattice-based cryptosystems. As part of this work, we also present the first classical algorithm for evaluating isogenies having provably subexponential running time in the cardinality of the base field under GRH.

[1]  Arnold Schönhage,et al.  Fast reduction and composition of binary quadratic forms , 1991, ISSAC '91.

[2]  Gaetan Bisson,et al.  Computing endomorphism rings of elliptic curves under the GRH , 2011, J. Math. Cryptol..

[3]  Steven D. Galbraith,et al.  Improved algorithm for the isogeny problem for ordinary elliptic curves , 2011, Applicable Algebra in Engineering, Communication and Computing.

[4]  Anton Stolbunov,et al.  Constructing public-key cryptographic schemes based on class group action on a set of isogenous elliptic curves , 2010, Adv. Math. Commun..

[5]  Sean Hallgren,et al.  Quantum algorithms for some hidden shift problems , 2003, SODA '03.

[6]  O. Regev A Subexponential Time Algorithm for the Dihedral Hidden Subgroup Problem with Polynomial Space , 2004, quant-ph/0406151.

[7]  Alexei Y. Kitaev,et al.  Quantum measurements and the Abelian Stabilizer Problem , 1995, Electron. Colloquium Comput. Complex..

[8]  G. Ballew,et al.  The Arithmetic of Elliptic Curves , 2020, Elliptic Curves.

[9]  Thierry Paul,et al.  Quantum computation and quantum information , 2007, Mathematical Structures in Computer Science.

[10]  Frederik Vercauteren,et al.  Speed Records for NTRU , 2010, CT-RSA.

[11]  Alfred Menezes,et al.  Reducing elliptic curve logarithms to logarithms in a finite field , 1993, IEEE Trans. Inf. Theory.

[12]  Jean-Pierre Serre,et al.  Groupes de Lie l-adiques attachés aux courbes elliptiques , 1964 .

[13]  Reynald Lercier,et al.  On Elkies subgroups of l-torsion points in elliptic curves defined over a finite field , 2008, 0809.2774.

[14]  R. Venkatesan,et al.  Expander graphs based on GRH with an application to elliptic curve cryptography , 2008, 0811.0647.

[15]  David A. Cooper,et al.  Quantum resistant public key cryptography: a survey , 2009, IDtrust '09.

[16]  John Watrous,et al.  Quantum algorithms for solvable groups , 2000, STOC '01.

[17]  David Jao,et al.  A Subexponential Algorithm for Evaluating Large Degree Isogenies , 2010, ANTS.

[18]  Michele Mosca,et al.  Decomposing finite Abelian groups , 2001, Quantum Inf. Comput..

[19]  Daniele Micciancio Lattice-Based Cryptography , 2011, Encyclopedia of Cryptography and Security.

[20]  今井 浩 20世紀の名著名論:Peter Shor : Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer , 2004 .

[21]  S. Galbraith Constructing Isogenies between Elliptic Curves Over Finite Fields , 1999 .

[22]  R. Lercier,et al.  On Elkies subgroups of $\ell $-torsion points in elliptic curves defined over a finite field , 2008 .

[23]  Luca De Feo,et al.  Fast algorithms for computing isogenies between ordinary elliptic curves in small characteristic , 2010, 1002.2597.

[24]  Alexander Rostovtsev,et al.  Public-Key Cryptosystem Based on Isogenies , 2006, IACR Cryptol. ePrint Arch..

[25]  Peter W. Shor,et al.  Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer , 1995, SIAM Rev..

[26]  Jean Marc Couveignes,et al.  Hard Homogeneous Spaces , 2006, IACR Cryptol. ePrint Arch..

[27]  Gilles Brassard,et al.  Strengths and Weaknesses of Quantum Computing , 1997, SIAM J. Comput..

[28]  Antoine Joux,et al.  Pairing the volcano , 2012, Math. Comput..

[29]  Steven D. Galbraith,et al.  Extending the GHS Weil Descent Attack , 2002, EUROCRYPT.

[30]  Greg Kuperberg A Subexponential-Time Quantum Algorithm for the Dihedral Hidden Subgroup Problem , 2005, SIAM J. Comput..

[31]  J. Tate Endomorphisms of abelian varieties over finite fields , 1966 .

[32]  Oded Regev,et al.  Lattice-Based Cryptography , 2006, CRYPTO.

[33]  R. Schoof Journal de Theorie des Nombres de Bordeaux 7 (1995), 219{254 , 2022 .

[34]  Gabriele Eisenhauer Binary Quadratic Forms An Algorithmic Approach , 2016 .

[35]  Oded Regev Quantum Computation and Lattice Problems , 2004, SIAM J. Comput..

[36]  D. Bernstein HOW TO FIND SMOOTH PARTS OF INTEGERS , 2004 .

[37]  David A. Cox Primes of the Form x2 + ny2: Fermat, Class Field Theory, and Complex Multiplication , 1989 .

[38]  Oded Regev,et al.  On the Complexity of Lattice Problems with Polynomial Approximation Factors , 2010, The LLL Algorithm.

[39]  W. Waterhouse,et al.  Abelian varieties over finite fields , 1969 .

[40]  David Jao,et al.  Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies , 2011, J. Math. Cryptol..

[41]  Gaetan Bisson,et al.  Computing the endomorphism ring of an ordinary elliptic curve over a finite field , 2009, IACR Cryptol. ePrint Arch..

[42]  Éric Schost,et al.  Fast algorithms for computing isogenies between elliptic curves , 2006, Math. Comput..

[43]  Mark Ettinger,et al.  On Quantum Algorithms for Noncommutative Hidden Subgroups , 1998, STACS.

[44]  Kristin E. Lauter,et al.  Evaluating Large Degree Isogenies and Applications to Pairing Based Cryptography , 2008, Pairing.

[45]  E. Bach Explicit bounds for primality testing and related problems , 1990 .

[46]  Mireille Fouquet,et al.  Isogeny Volcanoes and the SEA Algorithm , 2002, ANTS.

[47]  Martin Seysen,et al.  A probabilistic factorization algorithm with quadratic forms of negative discriminant , 1987 .