Skip to main content

Accelerating the Delfs–Galbraith Algorithm with Fast Subfield Root Detection

  • Conference paper
  • First Online:
Advances in Cryptology – CRYPTO 2022 (CRYPTO 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13509))

Included in the following conference series:

  • 1153 Accesses

Abstract

We give a new algorithm for finding an isogeny from a given supersingular elliptic curve \(E/\mathbb {F}_{p^2}\) to a subfield elliptic curve \(E'/\mathbb {F}_p\), which is the bottleneck step of the Delfs–Galbraith algorithm for the general supersingular isogeny problem. Our core ingredient is a novel method of rapidly determining whether a polynomial \(f \in L[X]\) has any roots in a subfield \(K \subset L\), while avoiding expensive root-finding algorithms. In the special case when \(f=\Upphi _{\ell ,p}(X,j) \in \mathbb {F}_{p^2}[X]\), i.e., when f is the \(\ell \)-th modular polynomial evaluated at a supersingular j-invariant, this provides a means of efficiently determining whether there is an \(\ell \)-isogeny connecting the corresponding elliptic curve to a subfield curve. Together with the traditional Delfs–Galbraith walk, inspecting many \(\ell \)-isogenous neighbours in this way allows us to search through a larger proportion of the supersingular set per unit of time. Though the asymptotic \(\tilde{O}(p^{1/2})\) complexity of our improved algorithm remains unchanged from that of the original Delfs–Galbraith algorithm, our theoretical analysis and practical implementation both show a significant reduction in the runtime of the subfield search. This sheds new light on the concrete hardness of the general supersingular isogeny problem (i.e. the foundational problem underlying isogeny-based cryptography), and has immediate implications on the bit-security of schemes like B-SIDH and SQISign for which Delfs–Galbraith is the best known classical attack.

M. Corte-Real Santos—Supported by EPSRC grant EP/S022503/1.

J. Shi—Part of this work was done while Jia was an intern at Microsoft Research.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    See [28], a database computed using techniques from various joint works of his [6, 29].

  2. 2.

    Note that the fixed exponentiations that take place in the calls to Tonelli-Shanks could be further optimised for a specific p by tailoring a larger window or a different addition chain, but the impact (for our purposes and comparisons) of this improvement would be minor.

  3. 3.

    Initially we do not have a \(j_p\), so all three neighbours can be computed using generic root finding; our code does this during the setup phase.

  4. 4.

    A real-world attack should check any non-trivial GCD, since either of these scenarios are a win for the cryptanalyst; the latter case reveals information about the secret endomorphism ring of the target isomorphism class (see [20, §5.3]), and the former case gives multiple solutions to the subfield search problem.

  5. 5.

    We do this by taking long walks in \(\mathcal {X}(\bar{\mathbb {F}}_p, 3)\) away from a known subfield curve.

  6. 6.

    Just as in Sect. 6, we used long walks in \(\mathcal {X}(\bar{\mathbb {F}}_p,3)\) away from a known starting curve to achieve uniformity in \(S_{p^2}\).

  7. 7.

    For large, cryptographic sized primes p, computing class numbers is very computationally expensive. Indeed, a recent class group computation for a 512-bit prime terminated in \(\approx 52\) core years.

References

  1. Adj, G., Cervantes-Vázquez, D., Chi-Domínguez, J., Menezes, A., Rodríguez-Henríquez, F.: On the cost of computing isogenies between supersingular elliptic curves. In: Cid, C., Jacobson, M., Jr. (eds.) SAC 2018. LNCS, vol. 11349, pp. 322–343. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-10970-7_15

    Chapter  Google Scholar 

  2. Adj, G., Rodríguez-Henríquez, F.: Square root computation over even extension fields. IEEE Trans. Comput. 63(11), 2829–2841 (2013)

    Article  MathSciNet  Google Scholar 

  3. Arpin, S., et al.: Adventures in supersingularland. Exp. Math. 1–28 (2021)

    Google Scholar 

  4. Berlekamp, E.R.: Factoring polynomials over large finite fields. Math. Comput. 24(111), 713–735 (1970)

    Article  MathSciNet  Google Scholar 

  5. Beullens, W., Kleinjung, T., Vercauteren, F.: CSI-FiSh: efficient isogeny based signatures through class group computations. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11921, pp. 227–247. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34578-5_9

    Chapter  Google Scholar 

  6. Bruinier, J.H., Ono, K., Sutherland, A.V.: Class polynomials for nonholomorphic modular functions. J. Number Theory 161, 204–229 (2016)

    Article  MathSciNet  Google Scholar 

  7. Burdges, J., De Feo, L.: Delay encryption. In: Canteaut, A., Standaert, F. (eds.) EUROCRYPT 2021, Part I. LNCS, vol. 12696, pp. 302–326. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77870-5_11

    Chapter  Google Scholar 

  8. Cantor, D.G., Zassenhaus, H.: A new algorithm for factoring polynomials over finite fields. Math. Comput. 36, 587–592 (1981)

    Article  MathSciNet  Google Scholar 

  9. Castryck, W., Decru, T.: CSIDH on the surface. In: Ding, J., Tillich, J.-P. (eds.) PQCrypto 2020. LNCS, vol. 12100, pp. 111–129. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-44223-1_7

    Chapter  Google Scholar 

  10. Castryck, W., Decru, T., Vercauteren, F.: Radical isogenies. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020, Part II. LNCS, vol. 12492, pp. 493–519. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64834-3_17

    Chapter  Google Scholar 

  11. Costello, C.: B-SIDH: supersingular isogeny Diffie-Hellman using twisted torsion. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12492, pp. 440–463. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64834-3_15

    Chapter  Google Scholar 

  12. Costello, C., Meyer, M., Naehrig, M.: Sieving for twin smooth integers with solutions to the Prouhet-Tarry-Escott problem. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12696, pp. 272–301. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77870-5_10

    Chapter  Google Scholar 

  13. Delfs, C., Galbraith, S.D.: Computing isogenies between supersingular elliptic curves over \(\mathbb{F}_p\). Des. Codes Cryptogr. 78(2), 425–440 (2016)

    Article  MathSciNet  Google Scholar 

  14. De Feo, L., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptol. 8(3), 209–247 (2014)

    MathSciNet  MATH  Google Scholar 

  15. De Feo, L., Kohel, D., Leroux, A., Petit, C., Wesolowski, B.: SQISign: compact post-quantum signatures from quaternions and isogenies. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12491, pp. 64–93. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64837-4_3

    Chapter  Google Scholar 

  16. Galbraith, S.D., Petit, C., Silva, J.: Identification protocols and signature schemes based on supersingular isogeny problems. J. Cryptol. 33(1), 130–175 (2020)

    Article  MathSciNet  Google Scholar 

  17. Hamburg, M.: Fast and compact elliptic-curve cryptography. Cryptol. ePrint Arch. Report 2012/309 (2012). https://ia.cr/2012/309

  18. Horn, R.A., Johnson, C.R.: Topics in Matrix Analysis. Cambridge University Press, Cambridge (1994)

    MATH  Google Scholar 

  19. Jao, D., et al.: SIKE: supersingular isogeny key encapsulation. Manuscript available at sike.org/ (2017)

  20. Leonardi, C.: Security analysis of isogeny-based cryptosystems. Ph.D. thesis, University of Waterloo, Ontario, Canada (2020)

    Google Scholar 

  21. Lidl, R., Niederreiter, H.: Introduction to Finite Fields and their Applications. Cambridge University Press, Cambridge (1994)

    Book  Google Scholar 

  22. Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (2018)

    Book  Google Scholar 

  23. Mestre, J.-F.: La méthode des graphes. Examples et applications. In: Proceedings of the International Conference on Class Numbers and Fundamental Units of Algebraic Number Fields (Katata), pp. 217–242. Citeseer (1986)

    Google Scholar 

  24. Pizer, A.K.: Ramanujan graphs and Hecke operators. Bull. Am. Math. Soc. 23(1), 127–137 (1990)

    Article  MathSciNet  Google Scholar 

  25. Scott, M.: A note on the calculation of some functions in finite fields: tricks of the trade. IACR Cryptol. ePrint Arch. 1497 (2020)

    Google Scholar 

  26. Shoup, V.: A Computational Introduction to Number Theory and Algebra. Cambridge University Press, Cambridge (2009)

    MATH  Google Scholar 

  27. Silverman, J.H.: The Arithmetic of Elliptic Curves, vol. 106. Springer, New York (2009). https://doi.org/10.1007/978-0-387-09494-6

    Book  MATH  Google Scholar 

  28. Sutherland, A.V.: Modular polynomials. https://math.mit.edu/~drew/ClassicalModPolys.html. Accessed 30 Sept 2021

  29. Sutherland, A.V.: On the evaluation of modular polynomials. Open Book Ser. 1(1), 531–555 (2013)

    Article  MathSciNet  Google Scholar 

  30. The Sage Developers. SageMath, the Sage Mathematics Software System (Version 9.2) (2021). https://www.sagemath.org

  31. Vélu, J.: Isogénies entre courbes elliptiques. CR Acad. Sci. Paris Sér. AB 273(A238–A241), 5 (1971)

    MATH  Google Scholar 

Download references

Acknowledgements

Thanks to Sam Frengley, Michael Naehrig, Krijn Reijnders, Benjamin Smith, Greg Zaverucha, and the CRYPTO2022 reviewers for their valuable comments on an earlier version of this paper. We also thank Drew Sutherland for answering our questions about alternative modular functions.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Maria Corte-Real Santos .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2022 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Corte-Real Santos, M., Costello, C., Shi, J. (2022). Accelerating the Delfs–Galbraith Algorithm with Fast Subfield Root Detection. In: Dodis, Y., Shrimpton, T. (eds) Advances in Cryptology – CRYPTO 2022. CRYPTO 2022. Lecture Notes in Computer Science, vol 13509. Springer, Cham. https://doi.org/10.1007/978-3-031-15982-4_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-15982-4_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-15981-7

  • Online ISBN: 978-3-031-15982-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics