Abstract
We give a new algorithm for finding an isogeny from a given supersingular elliptic curve \(E/\mathbb {F}_{p^2}\) to a subfield elliptic curve \(E'/\mathbb {F}_p\), which is the bottleneck step of the Delfs–Galbraith algorithm for the general supersingular isogeny problem. Our core ingredient is a novel method of rapidly determining whether a polynomial \(f \in L[X]\) has any roots in a subfield \(K \subset L\), while avoiding expensive root-finding algorithms. In the special case when \(f=\Upphi _{\ell ,p}(X,j) \in \mathbb {F}_{p^2}[X]\), i.e., when f is the \(\ell \)-th modular polynomial evaluated at a supersingular j-invariant, this provides a means of efficiently determining whether there is an \(\ell \)-isogeny connecting the corresponding elliptic curve to a subfield curve. Together with the traditional Delfs–Galbraith walk, inspecting many \(\ell \)-isogenous neighbours in this way allows us to search through a larger proportion of the supersingular set per unit of time. Though the asymptotic \(\tilde{O}(p^{1/2})\) complexity of our improved algorithm remains unchanged from that of the original Delfs–Galbraith algorithm, our theoretical analysis and practical implementation both show a significant reduction in the runtime of the subfield search. This sheds new light on the concrete hardness of the general supersingular isogeny problem (i.e. the foundational problem underlying isogeny-based cryptography), and has immediate implications on the bit-security of schemes like B-SIDH and SQISign for which Delfs–Galbraith is the best known classical attack.
M. Corte-Real Santos—Supported by EPSRC grant EP/S022503/1.
J. Shi—Part of this work was done while Jia was an intern at Microsoft Research.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
- 2.
Note that the fixed exponentiations that take place in the calls to Tonelli-Shanks could be further optimised for a specific p by tailoring a larger window or a different addition chain, but the impact (for our purposes and comparisons) of this improvement would be minor.
- 3.
Initially we do not have a \(j_p\), so all three neighbours can be computed using generic root finding; our code does this during the setup phase.
- 4.
A real-world attack should check any non-trivial GCD, since either of these scenarios are a win for the cryptanalyst; the latter case reveals information about the secret endomorphism ring of the target isomorphism class (see [20, §5.3]), and the former case gives multiple solutions to the subfield search problem.
- 5.
We do this by taking long walks in \(\mathcal {X}(\bar{\mathbb {F}}_p, 3)\) away from a known subfield curve.
- 6.
Just as in Sect. 6, we used long walks in \(\mathcal {X}(\bar{\mathbb {F}}_p,3)\) away from a known starting curve to achieve uniformity in \(S_{p^2}\).
- 7.
For large, cryptographic sized primes p, computing class numbers is very computationally expensive. Indeed, a recent class group computation for a 512-bit prime terminated in \(\approx 52\) core years.
References
Adj, G., Cervantes-Vázquez, D., Chi-Domínguez, J., Menezes, A., Rodríguez-Henríquez, F.: On the cost of computing isogenies between supersingular elliptic curves. In: Cid, C., Jacobson, M., Jr. (eds.) SAC 2018. LNCS, vol. 11349, pp. 322–343. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-10970-7_15
Adj, G., Rodríguez-Henríquez, F.: Square root computation over even extension fields. IEEE Trans. Comput. 63(11), 2829–2841 (2013)
Arpin, S., et al.: Adventures in supersingularland. Exp. Math. 1–28 (2021)
Berlekamp, E.R.: Factoring polynomials over large finite fields. Math. Comput. 24(111), 713–735 (1970)
Beullens, W., Kleinjung, T., Vercauteren, F.: CSI-FiSh: efficient isogeny based signatures through class group computations. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11921, pp. 227–247. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34578-5_9
Bruinier, J.H., Ono, K., Sutherland, A.V.: Class polynomials for nonholomorphic modular functions. J. Number Theory 161, 204–229 (2016)
Burdges, J., De Feo, L.: Delay encryption. In: Canteaut, A., Standaert, F. (eds.) EUROCRYPT 2021, Part I. LNCS, vol. 12696, pp. 302–326. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77870-5_11
Cantor, D.G., Zassenhaus, H.: A new algorithm for factoring polynomials over finite fields. Math. Comput. 36, 587–592 (1981)
Castryck, W., Decru, T.: CSIDH on the surface. In: Ding, J., Tillich, J.-P. (eds.) PQCrypto 2020. LNCS, vol. 12100, pp. 111–129. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-44223-1_7
Castryck, W., Decru, T., Vercauteren, F.: Radical isogenies. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020, Part II. LNCS, vol. 12492, pp. 493–519. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64834-3_17
Costello, C.: B-SIDH: supersingular isogeny Diffie-Hellman using twisted torsion. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12492, pp. 440–463. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64834-3_15
Costello, C., Meyer, M., Naehrig, M.: Sieving for twin smooth integers with solutions to the Prouhet-Tarry-Escott problem. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12696, pp. 272–301. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77870-5_10
Delfs, C., Galbraith, S.D.: Computing isogenies between supersingular elliptic curves over \(\mathbb{F}_p\). Des. Codes Cryptogr. 78(2), 425–440 (2016)
De Feo, L., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptol. 8(3), 209–247 (2014)
De Feo, L., Kohel, D., Leroux, A., Petit, C., Wesolowski, B.: SQISign: compact post-quantum signatures from quaternions and isogenies. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12491, pp. 64–93. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64837-4_3
Galbraith, S.D., Petit, C., Silva, J.: Identification protocols and signature schemes based on supersingular isogeny problems. J. Cryptol. 33(1), 130–175 (2020)
Hamburg, M.: Fast and compact elliptic-curve cryptography. Cryptol. ePrint Arch. Report 2012/309 (2012). https://ia.cr/2012/309
Horn, R.A., Johnson, C.R.: Topics in Matrix Analysis. Cambridge University Press, Cambridge (1994)
Jao, D., et al.: SIKE: supersingular isogeny key encapsulation. Manuscript available at sike.org/ (2017)
Leonardi, C.: Security analysis of isogeny-based cryptosystems. Ph.D. thesis, University of Waterloo, Ontario, Canada (2020)
Lidl, R., Niederreiter, H.: Introduction to Finite Fields and their Applications. Cambridge University Press, Cambridge (1994)
Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (2018)
Mestre, J.-F.: La méthode des graphes. Examples et applications. In: Proceedings of the International Conference on Class Numbers and Fundamental Units of Algebraic Number Fields (Katata), pp. 217–242. Citeseer (1986)
Pizer, A.K.: Ramanujan graphs and Hecke operators. Bull. Am. Math. Soc. 23(1), 127–137 (1990)
Scott, M.: A note on the calculation of some functions in finite fields: tricks of the trade. IACR Cryptol. ePrint Arch. 1497 (2020)
Shoup, V.: A Computational Introduction to Number Theory and Algebra. Cambridge University Press, Cambridge (2009)
Silverman, J.H.: The Arithmetic of Elliptic Curves, vol. 106. Springer, New York (2009). https://doi.org/10.1007/978-0-387-09494-6
Sutherland, A.V.: Modular polynomials. https://math.mit.edu/~drew/ClassicalModPolys.html. Accessed 30 Sept 2021
Sutherland, A.V.: On the evaluation of modular polynomials. Open Book Ser. 1(1), 531–555 (2013)
The Sage Developers. SageMath, the Sage Mathematics Software System (Version 9.2) (2021). https://www.sagemath.org
Vélu, J.: Isogénies entre courbes elliptiques. CR Acad. Sci. Paris Sér. AB 273(A238–A241), 5 (1971)
Acknowledgements
Thanks to Sam Frengley, Michael Naehrig, Krijn Reijnders, Benjamin Smith, Greg Zaverucha, and the CRYPTO2022 reviewers for their valuable comments on an earlier version of this paper. We also thank Drew Sutherland for answering our questions about alternative modular functions.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 International Association for Cryptologic Research
About this paper
Cite this paper
Corte-Real Santos, M., Costello, C., Shi, J. (2022). Accelerating the Delfs–Galbraith Algorithm with Fast Subfield Root Detection. In: Dodis, Y., Shrimpton, T. (eds) Advances in Cryptology – CRYPTO 2022. CRYPTO 2022. Lecture Notes in Computer Science, vol 13509. Springer, Cham. https://doi.org/10.1007/978-3-031-15982-4_10
Download citation
DOI: https://doi.org/10.1007/978-3-031-15982-4_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-15981-7
Online ISBN: 978-3-031-15982-4
eBook Packages: Computer ScienceComputer Science (R0)