Orienting supersingular isogeny graphs

Leonardo Colò; David Kohel

doi:10.1515/jmc-2019-0034

Open Access Published by De Gruyter October 23, 2020

Orienting supersingular isogeny graphs

Leonardo Colò and David Kohel

From the journal Journal of Mathematical Cryptology

https://doi.org/10.1515/jmc-2019-0034

Abstract

We introduce a category of 𝓞-oriented supersingular elliptic curves and derive properties of the associated oriented and nonoriented ℓ-isogeny supersingular isogeny graphs. As an application we introduce an oriented supersingular isogeny Diffie-Hellman protocol (OSIDH), analogous to the supersingular isogeny Diffie-Hellman (SIDH) protocol and generalizing the commutative supersingular isogeny Diffie-Hellman (CSIDH) protocol.

Keywords: Supersingular elliptic curves; isogeny graphs

MSC 2010: 11G05; 11G07; 11G15; 11T71; 14H10; 14H52; 14K02; 14K22

1 Introduction

In this paper we introduce a category of supersingular elliptic curves oriented by an imaginary quadratic order 𝓞, and derive properties of the associated oriented and non-oriented supersingular ℓ-isogeny graphs. This permits one to derive a faithful group action on a subset of oriented supersingular curves, equipped with a forgetful map to the set of non-oriented supersingular curves. As an application we introduce an oriented supersingular isogeny Diffie-Hellman protocol (OSIDH), analogous to the supersingular isogeny Diffie-Hellman (SIDH) of De Feo and Jao [18] and generalizing the commutative supersingular isogeny Diffie-Hellman (CSIDH) of Castryck, Lange, Martindale, Panny and Renes [5], the latter based on the idea of group actions on sets by Couveignes [9] and Rostovtsev-Stolbunov [25]. Renewed interest in these isogeny-based protocols is motivated by their presumed resistance to quantum attacks, and this work both enlarges the class of isogeny-based protocols and provides a framework for their security analysis.

We study some theoretical and practical aspects of the endomorphism ring of a supersingular elliptic curve and their connection with isogeny graphs. The central idea is to use an embedding of a quadratic imaginary order into the endomorphism ring of a supersingular elliptic curve, a maximal order in a quaternion algebra, to introduce an orientation on the curve. This extra piece of information permits one to impose compatible actions of the class groups of the suborders of this quadratic order on the descending isogeny chains and therefore on the isogeny volcano of oriented curves.

We observe that the starting vertex of the chain can be chosen to have a special orientation (by an order of class number one) and that computations can be performed using modular polynomials. This motivates us to introduce a Diffie-Hellman key exchange protocol that avoids limitations imposed by earlier constructions.

The idea of SIDH is to fix a large prime number p of the form p=ℓAeAℓBeBf±1 for a small cofactor f and to let the two parties Alice and Bob take random walks (i.e., isogenies chains) of length e_A (or e_B) in the ℓ_A-isogeny graph (or the ℓ_B-isogeny graph, respectively) on the set of supersingular j-invariants defined over 𝔽_p². In order to have the two key spaces of similar size ℓAeA≈ℓBeB, we need to take ℓAeA≈ℓBeB≈p. Since the total number of supersingular j-invariants is around p/12, this implies that, for each party, the space of choices for the secret key is limited to 1/p of the whole set of supersingular j-invariants over 𝔽_p². In other words, in choosing their secrets, Alice and Bob can go only “halfway” around the graph from the starting vertex j₀.

Recently, Castryck, Lange, Martindale, Panny and Renes proposed another key exchange protocol based on supersingular isogeny graphs over the prime field 𝔽_p. We fix a prime of the form p = 4ℓ₁ ⋅ … ⋅ ℓ_t − 1 and an elliptic curve E/𝔽_p defined by the equation E : y² = x³ + ax² + x. The peculiarity of CSIDH is that it works with curves defined over 𝔽_p and restricts the endomorphism rings of such curves to the commutative subring consisting of 𝔽_p-rational endomorphisms. Starting from this setup, the scheme is an adaptation of the Couveignes and Rostovtsev-Stolbunov idea. Observe that the choice of looking at curves defined over 𝔽_p, instead of 𝔽_p², limits the key spaces for Alice and Bob to #Cℓ(Z[−p]) supersingular points. For a given p, this is the same order of magnitude, O(plog⁡(p)) as for SIDH, but the class group is transitive on this subset.

In this paper we want to describe a new cryptographic protocol, the OSIDH, defined over an arbitrarily large subset of oriented supersingular elliptic curves over 𝔽_p², which combines features of SIDH and CSIDH, and permits one to cover an arbitrary proportion of all isomorphism classes of supersingular elliptic curves.

A feature shared by SIDH and CSIDH is that the isogenies are constructed as quotients of rational torsion subgroups: the secret path of length e_A in the ℓ_A-isogeny graph corresponds to a secret cyclic subgroup 〈A〉 ⊆ E[ℓ^e_A] where A is a rational ℓAeA-torsion point on E. The need for rational points imposes limits on the choice of the prime p and, thus, of the finite field we work on. In contrast OSIDH relies on constructions that can be carried out only with the use of modular polynomials hence avoiding conditions on the rational torsion subgroup.

In summary, an orientation provides a class group action on lifts of an arbitrarily large subset of supersingular points. Exploiting an effective subring 𝓞 of the full endomorphism ring we obtain an effective action by the class group of this subring on the isogeny volcano (whirlpool). This approach generalizes the class group action of CSIDH where supersingular elliptic curves are oriented by the commutative subring ℤ[π] generated by Frobenius π=−p. To avoid subexponential (or polynomial) time reductions, in the OSIDH protocol, as detailed in Section 5, the orientation and associated class group action is hidden in the intermediate data exchanged by Alice and Bob. This gives a protocol for which the best known attacks at present are fully exponential.

2 Orientations, isogeny chains, and ladders

In this section, we recall the definition of an isogeny graph and introduce the notion of orienting supersingular elliptic curves and their isogenies by an imaginary quadratic field K and its orders 𝓞. Finally, we describe how to impose a structure on an isogeny graph by means of isogeny chains and how to carry out an effective class group action, by means of ladders.

Isogeny graphs

Given an elliptic curve E over a field k, and a finite set of primes S, we can associate an isogeny graphΓ = Γ_S(E), whose vertices are elliptic curves k̄-isogenous to E, with fixed vertex E, and whose directed edges are isogenies of degree ℓ ∈ S. The vertices are defined up to k̄-isomorphism, and the edges from a given vertex are defined up to a k̄-isomorphism of the codomain. If S = {ℓ}, then we call Γ an ℓ-isogeny graph, which we write as Γ_ℓ(E).

An ℓ-isogeny graph Γ is equiped with an action of 𝓖 = Gal(k̄/k), with the vertex [E] a fixed point, as follows. We have

E[ℓ]={P∈E(k¯)|ℓP=O}≅(Z/ℓZ)2.

The set of cyclic subgroups is in bijection with ℙ(E[ℓ]) ≅ ℙ¹(ℤ/ℓℤ), which in turn is in bijection with the set of ℓ-isogenies from E. The 𝓖-action on E[ℓ] induces an action by 𝓖 on the ℓ+1 cyclic subgroups. This action extends to paths without backtracking of length n, via the action on the cyclic subgroups G of order ℓⁿ in

E[ℓn]={P∈E(k¯)|ℓnP=O}≅(Z/ℓnZ)2.

which are in bijection with ℙ(E[ℓⁿ]) ≅ ℙ¹(ℤ/ℓⁿℤ). This determines a compatible Galois action on vertices [E/G] and edges φ: E/G_i → E/G_i+1 where G_i ⊂ G_i+1 is of index ℓ. The action on infinite paths from E is thus determined by the Galois action on the projective Tate module ℙ(T_ℓ(E)) ≅ ℙ¹(ℤ_ℓ). In the same way we define the 𝓖-action on Γ_S(E) derived from the 𝓖-set structure of ℙ(T_S(E)), where

TS(E)=∏ℓ∈STℓ(E).

The choice of base curve E determines a Galois action on Γ, conjugate to the Galois action induced by a twist of E.

Thus an ℓ-isogeny graph is (ℓ+1)-regular for outgoing edges. The existence of curves of j-invariant 0 or 12³ with additional automorphisms in the graph implies a reduced number of incoming edges at these vertices. We define an undirected graph Γ_ℓ(E) by identifying an isogeny φ: E₀ → E₁ with its dual φ̂ : E₁ → E₀, and if Aut(E₀) ≠ {±1} or Aut(E₁) ≠ {±1} the orbits

Aut(E1)φAut(E0) and Aut(E0)φ^Aut(E1)

are identified, which gives a non-bijective correspondence between edges and dual edges.

Lemma 2.1

LetEbe an elliptic curve overkwith endomorphism ring 𝓞, and for a primeℓ ≠ char(k) letΓ_ℓ(E) be its undirectedℓ-isogeny graph.

If 𝓞 = ℤ, then each component ofΓ_ℓ(E) is an infinite tree.
If 𝓞 is an order in a CM fieldK, then each componentΓofΓ_ℓ(E) is infinite and either
1. the primeℓis split inKandΓhas a unique cycle, or
2. the primeℓis ramified or inert inKandΓis a tree.
If 𝓞 is an order in a quaternion algebra, thenΓ_ℓ(E) is finite and connected.

If E is defined over a number field, then case (1) is the generic case and in the CM case (2), every curve admits an embedding of an order of K in its endomorphism ring, and the Galois action is determined by CM theory (see Shimura [27]). If E is defined over a finite field, then only case (2) (ordinary) or case (3) (supersingular) can hold. The ordinary case gives rise to an ℓ-isogeny graph in bijection with the CM graph with CM field K = ℚ(π), where π is the Frobenius endomorphism. In the supersingular case we have more precisely that there are

(p−1)12+131−−3p+141−−4p

vertices. In the next section we introduce the notion of a K-orientation by an imaginary quadratic field K, which allows us to canonically lift the finite supersingular graph to an infinite oriented CM graph.

Orientations

Suppose now that E is a supersingular elliptic curve over a finite field k of characteristic p, and denote by End(E) the full endomorphism ring. We assume moreover that k contains 𝔽_p² and E is in an isogeny class such that End_k(E) = End(E).

We denote by End⁰(E) the ℚ-algebra End(E) ⊗_ℤ ℚ. In particular, End⁰(E) is the unique quaternion algebra over ℚ ramified at p and ∞.

Let K be a quadratic imaginary field of discriminant Δ_K with maximal order 𝓞_K. Then there exists an embedding ι : K → End⁰(E) if and only if p is inert or ramified in 𝓞_K, and there exists an order 𝓞 ⊆ 𝓞_K such that ι(𝓞) = ι(K) ∩ End(E).

Definition 2.2

AK-orientation on a supersingular elliptic curveE/kis a homomorphismι : K ↪ End⁰(E). An 𝓞-orientation onEis aK-orientation such that the image of the restriction ofιto 𝓞 is contained in End(E). We write End((E, ι)) for the order End(E) ∩ ι(K) inι(K). An 𝓞-orientation isprimitive ifιinduces an isomorphism of 𝓞 with End((E, ι)).

Let ϕ : E → F be an isogeny of degree ℓ. A K-orientation ι : K ↪ End⁰(E) determines a K-orientation ϕ_*(ι) : K ↪ End⁰(F) on F, defined by

ϕ∗(ι)(α)=1ℓϕ∘ι(α)∘ϕ^.

Conversely, given K-oriented elliptic curves (E, ι_E) and (F, ι_F) we say that an isogeny ϕ : E → F is K-oriented if ϕ_*(ι_E) = ι_F, i.e. if the orientation on F is induced by ϕ. The restriction to K-oriented isogenies determines a category of K-oriented elliptic curves, hence of K-oriented isomorphism classes, and a subcategory of 𝓞-oriented elliptic curves.

If E admits a primitive 𝓞-orientation by an order 𝓞 in K, ϕ : E → F is an isogeny then F admits an induced primitive 𝓞′-orientation for an order 𝓞′ satisfying

Z+ℓO⊆O′ and Z+ℓO′⊆O.

We say that an isogeny ϕ : E → F is an 𝓞-oriented isogeny if 𝓞 = 𝓞′.

If ℓ is prime, as direct analogue of Proposition 4.2.23 of [19], one of the following holds:

𝓞 = 𝓞′ and we say that ϕ is horizontal,
𝓞 ⊂ 𝓞′ with index ℓ and we say that ϕ is ascending,
𝓞′ ⊂ 𝓞 with index ℓ and we say that ϕ is descending.

Moreover if the discriminant of 𝓞 is Δ, then there are exactly ℓ−(Δℓ) descending isogenies. If 𝓞 is maximal at ℓ, then there are (Δℓ)+1 horizontal isogenies, and if 𝓞 is non-maximal at ℓ, then there is exactly one ascending ℓ-isogeny and no horizontal isogenies.

For an oriented class (E, ι) with endomorphism ring 𝓞 = End((E, ι)), we define (E, ι) to be at the surface (or depth 0) if 𝓞 is ℓ-maximal, and to be at depthn if the valuation at ℓ of [𝓞_K : 𝓞] is n. In the next section we introduce ℓ-isogeny chains linking oriented curves at the surface to oriented curves at depth n.

The oriented graph Γ_S(E, ι) is the graph whose vertices are K-oriented isomorphism classes, with fixed base vertex (E, ι), and whose edges are K-oriented ℓ-isogenies for ℓ in S.

Isogeny chains and ladders

Let E₀/k be a fixed supersingular elliptic curve, equipped with an 𝓞-orientation, and let ℓ ≠ p be a prime.

Definition 2.3

We define anℓ-isogeny chain of lengthnfromE₀toEto be a sequence of isogenies of degreeℓ:

E0⟶ϕ0E1⟶ϕ1E2⟶ϕ2…⟶ϕn−1En=E.

We say that theℓ-isogeny chain iswithout backtracking if ker(ϕ_i+1 ∘ ϕ_i) ≠ E_i[ℓ] for eachi = 0, …, n − 1, and say that the isogeny chain isdescending(orascending, orhorizontal) if eachϕ_iis descending (or ascending, or horizontal, respectively).

Remark

Since the dual isogeny of ϕ_i, up to isomorphism, is the only isogeny ϕ_i+1 satisfying ker(ϕ_i+1 ∘ ϕ_i) = E_i[ℓ], an isogeny chain is without backtracking if and only if the composition of two consecutive isogenies is cyclic. Moreover, we can extend this characterization in terms of cyclicity to the entire ℓ-isogeny chain.

Lemma 2.4

The composition of the isogenies in anℓ-isogeny chain is cyclic if and only if theℓ-isogeny chain is without backtracking.

Remark

If an isogeny ϕ is descending, then the unique ascending isogeny from ϕ(E), up to isomorphism, is the dual isogeny ϕ̂, satisfying ϕ̂ϕ = [ℓ]. As an immediate consequence, a descending ℓ-isogeny chain is automatically without backtracking, and an ℓ-isogeny chain without backtracking is descending if and only if ϕ₀ is descending.

Suppose that (E_i,ϕ_i) is an ℓ-isogeny chain, with E₀ equipped with an 𝓞_K-orientation ι₀ : 𝓞_K → End(E₀). For each i, let ι_i : K → End⁰(E_i) be the induced K-orientation on E_i; we note 𝓞_i = End(E_i) ∩ ι_i(K) with 𝓞₀ = 𝓞_K and Δ_i = discr(𝓞_i) with Δ₀ = Δ_K.

In particular, if (E_i,ϕ_i) is a descending ℓ-chain, then ι_i induces an isomorphism

ιi:Z+ℓiOK⟶Oi.

Let q be a prime different from p and ℓ that splits in 𝓞_K, let 𝔮 be a fixed prime over q. For each i we set 𝔮_(i) = ι_i(𝔮) ∩ 𝓞_i, and define

Ci=Ei[q(i)]={P∈Ei[q]|ψ(P)=0 for all ψ∈q(i)}.

We define F_i = E_i/C_i, and let ψ_i : E_i → F_i, an isogeny of degree q. By construction, it follows that ϕ_i(C_i) = C_i+1 for all i = 0, …, n − 1. In particular, if (E_i,ϕ_i) is a descending ℓ-ladder, then ι_i induces an isomorphism

ιi:Z+ℓiOK⟶Oi.

The isogeny ψ₀ : E₀ → F₀ = E/C₀ gives the following diagram of isogenies:

and for each i = 0, …, n − 1 there exists a unique ϕ′_i : F_i → F_i+1 with kernel ψ_i(ker(ϕ_i)) such that the following diagram commutes:

The isogenies ψ_i : E_i → F_i induce orientations ι′_i : 𝓞′_i → End(F_i). This construction motivates the following definition.

Definition 2.5

Anℓ-ladder of lengthnand degreeqis a commutative diagram ofℓ-isogeny chains (E_i, ϕ_i) and (F_i, ϕ′_i) of lengthnconnected byq-isogenies (ψ_i : E_i → F_i):

We also refer to anℓ-ladder of degreeqas aq-isogeny ofℓ-isogeny chains, which we express asψ : (E_i, ϕ_i) → (F_i, ϕ′_i).

We say that anℓ-ladder is ascending (or descending, or horizontal) if theℓ-isogeny chain (E_i, ϕ_i) is ascending (or descending, or horizontal, respectively). We say that theℓ-ladder islevelifψ₀is a horizontalq-isogeny. If theℓ-ladder is descending (or ascending), then we refer to the length of the ladder as itsdepth(or, respectively, as itsheight).

Lemma 2.6

Anℓ-ladderψ : (E_i, ϕ_i) → (F_i, ϕ′_i) of oriented elliptic curves is level if and only if End((E_i, ι_i)) is isomorphic to End((F_i, ι′_i)) for all 0 ≤ i ≤ n. In particular, if theℓ-ladder is level, then (E_i, ϕ_i) is descending (or ascending, or horizontal) if and only if (F_i, ϕ′_i) is descending (or ascending, or horizontal).

Remark

In the sequel we will assume that E₀ is oriented by a maximal order 𝓞_K. In Section 3 we investigate using the effective horizontal isogenies of E₀ to derive an effective class group action, and introduce a modular version of this action in Section 4. Walking down a descending isogeny chain, each elliptic curve will be oriented by an order of decreasing size and the final elliptic curve, which will be our final object of study, will have an orientation by an order of large index in 𝓞_K with action by a large class group.

Since the supersingular ℓ-isogeny graph is connected, every supersingular elliptic curve admits an ℓ-isogeny chain back to a curve oriented by any given maximal order 𝓞_K, so such a construction exists for any supersingular elliptic curve.

3 Oriented curves and class group action

Let SS(p) denote the set of supersingular elliptic curves over 𝔽_p up to isomorphism, and let SS_𝓞(p) be the set of 𝓞-oriented supersingular elliptic curves up to K-isomorphism over 𝔽_p, and denote the subset of primitive 𝓞-oriented curves by SSOpr(p).

Class group action

The set SS_𝓞(p) admits a transitive group action:

where 𝔞 is any representative ideal coprime to the index [𝓞_K : 𝓞] so that the isogeny E → E/E[𝔞] is horizontal. When restricted to primitive 𝓞-oriented curves, we obtain the following classical result, extending the standard result for CM elliptic curves.

Theorem 3.1

The class group 𝓒ℓ(𝓞) acts faithfully and transitively on the set of 𝓞-isomorphism classes of primitive 𝓞-oriented elliptic curves.

In particular, for fixed primitive 𝓞-oriented E, we hence obtain a bijection of sets:

For any ideal class [𝔞] and generating set {𝔮₁, …, 𝔮_r} of small primes, coprime to [𝓞_K : 𝓞], we can find an identity [a]=[q1e1⋅…⋅qrer], in order to compute the action via a sequence of low-degree isogenies.

For an ordinary ℓ-isogeny isogeny graph Γ_ℓ(E), the points defined over 𝔽_pⁿ are determined by the condition ℤ[πⁿ] ⊆ End(E). Since the class numbers of orders 𝓞 in K are unbounded, the previous theorem implies that the oriented supersingular graphs are infinite. While all supersingular curves and isogenies can be defined over 𝔽_p², we can use the inclusion of an order 𝓞 ⊂ End(E) to restrict to a finite subgraph.

Corollary 3.2

Let (E, ι) be aK-oriented elliptic curve. Theℓ-isogeny graphΓ_ℓ(E, ι) is an infinite graph which is the union of the finite subgraphs whose vertices are restricted to SS_𝓞(p) for an order 𝓞 inK.

The subrings 𝓞_n = ℤ + ℓⁿ𝓞 are a linearly ordered family which serve to bound the depth of K-oriented curves relative to a curve at the surface with orientation by an ℓ-maximal order 𝓞.

On vortices and whirlpools

Instead of considering the union of different isogeny graphs as in Couveignes [9] and Rostovtsev-Stolbunov [25], we focus on a fixed prime ℓ and we think of the other primes as acting on the ℓ-isogeny graph. The resulting object is the union of ℓ-isogeny volcanoes mixing under the action of 𝓒ℓ(𝓞). This action stabilizes the subgraph at the surface (the craters) and preserves descending paths. This view is consistent with the construction of orientations by ℓ-isogeny chains (paths in the ℓ-isogeny graph) anchored at the surface, with action of the class group determined by ladders.

Definition 3.3

Avortexis defined to be anℓ-isogeny subgraph whose vertices are isomorphism classes of 𝓞-oriented elliptic curves withℓ-maximal endomorphism ring, equipped with the action of 𝓒ℓ(𝓞). Awhirlpoolis defined to be a completeℓ-isogeny graph ofK-oriented elliptic curves whose subgraphs of 𝓞_n-oriented classes are acted on by 𝓒ℓ(𝓞_n).

Figure 1

A vortex consists of ℓ-isogeny cycles at the surface acted on by the class group 𝓒ℓ(𝓞) of an ℓ-maximal order 𝓞.

Figure 2

A whirlpool is an ℓ-isogeny graph equipped with compatible actions on its subgraphs by 𝓒ℓ(𝓞_n). The depicted 4-regular graph arises from ℓ = 3, and the cycle length is the order of a prime over ℓ in the ℓ-maximal order.

The underlying graph of a whirlpool is composed of multiple connected components, with the class group acting transitively on components with the same ℓ-maximal order of its vortex. The existence of multiple components of ℓ-volcanoes is studied in [21] and [15], where the set of ℓ-volcanoes is called an ℓ-cordillera. A general whirlpool can be depicted as in Figure 3, as an ℓ-cordillera (black lines) acted on by the class group, as represented by colored arrows.

Figure 3

An ℓ-isogeny graph of a whirlpool may have multiple components. The action depicts the subgraph acted on by a class group 𝓒ℓ(𝓞) of order 18, in which ℓ = 3 has order six, such as for discriminants −1691, −2291, and −2747.

Whirlpool examples

We give examples of both ordinary and supersingular whirlpool structures of ℓ-isogeny graphs with induced class group actions.

Example 3.4

LetE/𝔽₃₅₃be a ordinary elliptic curve with 344 rational points, and consider the subgraph ofΓ₂(E) of curves defined over 𝔽₃₅₃. The ring ℤ[π] generated by Frobeniusπhas index 2 in the maximal orderOK≅Z[−82]of class number 4. The set ofj-invariants of such curves at the surface is {160, 230, 270, 298}, and thej-invariants of curves at depth 1 are {66, 182, 197, 236, 253, 264, 304, 330}.

This graph, depicted in Figure 4, consists of two 2-volcanoes, and hence the whirlpool consists of two components permuted by the transitive action of 𝓒ℓ(ℤ[π]). Figure 5 represents the whirlpool, with blue lines indicating the 7-isogenies and red lines corresponding to the 13-isogenies.

Figure 4

A 2-cordillera.

Figure 5

A whirlpool with two components.

Example 3.5

LetE₀/𝔽₇₁be the supersingular elliptic curve withj(E) = 0, oriented by the order 𝓞_K = ℤ[ω], whereω² + ω + 1 = 0. The unoriented 2-isogeny graph is the finite graph:

The orietation byK = ℚ[ω] differentiates vertices in the descending paths fromE₀, determining an infinite graphy shown here to depth 4:

Consider the descending path along vertexj-invariants (0, 40, 17, 41, 66), and let 𝔮₇be a prime over the split prime 7. SinceΔ_K = −3 andΔ₁ = disc(𝓞₁) = −12 are of class number one, 𝔮₇ ∼ 1, and the 7-isogenous chain is likewise of the form (0,40, … ).

At depth 2, the class number of 𝓞₂of discriminant −48 is 2, and a Minkowski reduction of 𝔮₇is an equivalent prime 𝔮₃over 3. In particular, this prime is nonprincipal of order 2, so the image chain extends (0, 40, 48, … ).

At depth 3, the class number of 𝓞₃is 4, and 𝔮₇ ∼ 𝔮̄₇are primes of order 2 in the class group, hence the two 7-isogenies are to the same chain (0, 40, 48, 48, … ). Finally at depth 4 we differentiate the two primes 𝔮₇and 𝔮̄₇in 𝓞₄each of order 4. The two extensions (0, 40, 48, 48, 66) and (0, 40, 48, 48, 40), each of which corresponds to one of the primes over 7. For a choice of prime 𝔮₇we have thus determined the following ladder inducing the action of 𝔮₇on theℓ-isogeny chain.

The forgetful map to unoriented isogeny graphs

In this section we address the extent of non-injectivity of the forgetful map from oriented curves in the infinite oriented supersingular ℓ-isogeny graphs to the finite supersingular graph.

By Theorem 3.1, we have a bijection (isomorphism of sets with 𝓒ℓ(𝓞)-action):

Cℓ(O)≅SSOpr(O)⊆SSO(p)

determined by any choice of base point. On the other hand, for a descending chain of imaginary quadratic orders of index ℓ,

OK=O0⊃O1⊃⋯⊃Oi⊃⋯

determined by a descending ℓ-isogeny chain, the class numbers satisfy the geometric growth h(𝓞_i+1) = ℓh(𝓞_i) for alli ≥ 1. In particular, the inclusion 𝓞_i+1 ⊂ 𝓞_i determines an inclusion SS_{𝓞_i}(p) ⊂ SS_{𝓞_i+1}(p) = SS_{𝓞_i}(p) ∪ SSOi+1pr(p). Consequently we have an unbounded chain of sets

SSOK(p)⊂SSO1(p)⊂⋯⊂SSOi(p)⊂⋯

equipped with forgetful maps SS_{𝓞_i}(p) → SS(p) sending the 𝓞_i-isomorphism class [(E, 𝓞_i)] to the isomorphism class [E] determined by the j-invariant j(E).

This motivates the questions of when the map SS_{𝓞_i}(p) → SS(p) and its restriction to SSOipr(p) are injective, and when these maps are surjective. We adopt the notation H(p) for the cardinality ∣SS(p)∣ of supersingular curves, denote by X_i the image of SS_{𝓞_i}(p) in SS(p) and write Y_i for the image of SSOipr(p). Moreover we write λ_i = log_p(∣Δ_i∣) where Δ_i = ℓ²ⁱΔ_K = disc(𝓞_i). With this notation Figure 1 and Figure 2 give tables of values for ∣Y_i∣, ∣X_i∣, and λ_i, for primes of 10 and 12 bits respectively, depicting the boundary line for injectivity at λ_i = 1 and the critical line for surjectivity at λ_i = 2. We conclude this section with a general proposition, which follows from the following algebraic lemma, in order to justify the injectivity bound.

Lemma 3.6

Letα₁andα₂be elements of a maximal quaternion order in a quaternion algebra over ℚ ramified at a primep. SetΔ_i = disc(ℤ[α_i]) fori ∈ {1, 2}, and defineωto be the commutator [α₁, α₂] = α₁α₂ − α₂α₁. Thenωsatisfies Tr(ω) = 0, Nr(ω) = (Δ₁Δ₂ − T²)/4 whereT = 2Tr(α₁α₂) − Tr(α₁)Tr(α₂), and Nr(ω) ≡ 0 mod p.

Proof

The equality Tr(ω) = 0 follows from the relation Tr(α₁α₂) = Tr(α₂α₁) and linearity of the reduced trace. The expression for the reduced norm Nr(ω) is an elementary calculation. The congruence Nr(ω) = 0 mod p holds since the unique maximal ideal 𝔓 over p in the quaternion order is the subset of elements α with Nr(α) ≡ 0 mod p, and the quotient by 𝔓 is isomorphic to the (commutative) finite field 𝔽_p². Hence α₁α₂ ≡ α₂α₁ mod 𝔓 which implies ω mod 𝔓 = 0, from which Nr(ω) ≡ 0 mod p holds.□

Proposition 3.7

Let 𝓞 be an imaginary quadratic order of discrminantΔandpa prime which is inert in 𝓞. If ∣Δ∣ < p, then the map SS_𝓞(p) → SS(p) is injective.

Proof

If the map is not injective, there exists a supersingular elliptic curve E/𝔽_p, such that End(E) admits distinct embeddings ι_i :𝓞 = ℤ[α] → End(E), for i ∈ {1, 2}. Let α_i = ι_i(α) and set ω = [α₁, α₂]. By the previous lemma, we have

Nr(ω)=Δ2−T24≡0modp.

Since p is prime, and T ≡ Δ mod 2, we have either ∣Δ∣ − ∣T∣ ≡ 0 mod 2p or ∣Δ∣ + ∣T∣ ≡ 0 mod 2p. Moreover, since End(E) is an order in a definite quaternion algebra, we have Nr(ω) > 0, hence ∣T∣ < ∣Δ∣. It follows that 2p ≤ ∣Δ∣ + ∣T∣ ≤ 2∣Δ∣, and hence p ≤ ∣Δ∣. As a consequence, we conclude that if the map is injective, then ∣Δ∣ < p.□

Table 1

Sizes of images of oriented classes mapping to supersingular curves

p = 1013
i	h(O_i)	∣Y_i∣	∣X_i∣	H(p)	λ_i
1	1	1	1	85	0.3590
2	2	2	3	85	0.5593
3	4	4	7	85	0.7596
4	8	8	15	85	0.9599

5	16	16	29	85	1.1603
6	32	26	47	85	1.3606
7	64	43	66	85	1.5609
8	128	70	82	85	1.7612
9	256	79	85	85	1.9615

10	512	83	85	85	2.1618

p = 1019
i	h(O_i)	∣Y_i∣	∣X_i∣	H(p)	λ_i
1	1	1	1	86	0.3587
2	2	2	3	86	0.5588
3	4	4	7	86	0.7590
4	8	8	15	86	0.9591

5	16	15	30	86	1.1593
6	32	29	49	86	1.3594
7	64	46	69	86	1.5595
8	128	64	81	86	1.7597
9	256	83	84	86	1.9598

10	512	86	86	86	2.1600

Table 2

Sizes of images of oriented classes mapping to supersingular curves

p = 4079
i	h(O_i)	∣Y_i∣	∣X_i∣	H(p)	λ_i
1	1	1	1	341	0.2988
2	2	2	3	341	0.4656
3	4	4	7	341	0.6323
4	8	8	15	341	0.7991
5	16	16	31	341	0.9658

6	32	31	62	341	1.1326
7	64	61	113	341	1.2993
8	128	111	196	341	1.4661
9	256	180	276	341	1.6328
10	512	258	326	341	1.7996
11	1024	318	340	341	1.9663

12	2048	340	341	341	2.1331

p = 4091
i	h(O_i)	∣Y_i∣	∣X_i∣	H(p)	λ_i
1	1	1	1	342	0.2987
2	2	2	3	342	0.4654
3	4	4	7	342	0.6321
4	8	8	15	342	0.7988
5	16	16	31	342	0.9655

6	32	30	59	342	1.1322
7	64	59	110	342	1.2989
8	128	107	182	342	1.4656
9	256	186	263	342	1.6323
10	512	266	326	342	1.7990
11	1024	314	341	342	1.9657

12	2048	339	342	342	2.1323

4 Modular isogenies

In this section we consider the way in which we effectively represent and compute isogenies. With the view to oriented isogenies, we focus on horizontal isogenies with kernel E[𝔮], where E is a primitive 𝓞-oriented elliptic curve and 𝔮 a prime ideal of ι(𝓞). In what follows we suppress ι and identify 𝓞 with ι(𝓞).

Effective endomorphism rings and isogenies

We say a subring of End(E) is effective if we have explicit polynomial or rational functions which represent its generators. The subring ℤ in End(E) is thus effective. Examples of effective imaginary quadratic subrings 𝓞 ⊂ End(E), are the subring 𝓞 = ℤ[π] generated by Frobenius, for either an ordinary elliptic curve, or a supersingular elliptic curve defined over 𝔽_p, or an elliptic curve obtained by CM construction for an order 𝓞 of small discriminant (in absolute value).

In the Couveignes [9] or the Rostovtsev-Stolbunov [25] constructions, or in the CSIDH protocol [5], one works with the ring 𝓞 = ℤ[π]. The disadvantage is that for large finite fields, the class group of 𝓞 is large and the primes 𝔮 in 𝓞 have no small degree elements. For large p and small q, the smallest degree element of a prime 𝔮 of norm q is the endomorphism [q], of degree q². The division polynomial ψ_q(x), which cuts out the torsion group E[q], is of degree (q² − 1)/2. Consequently factoring ψ_q(x) to find the kernel polynomial (see Kohel [19, Chapter 2]) of degree (q − 1)/2 for E[𝔮] is relatively expensive. As a result, in the SIDH protocol [18], the ordinary protocol of De Feo, Smith, and Kieffer [11], or the CSIDH protocol [5], the curves are chosen such that the points of E[𝔮] are defined over a small degree extension κ/k, particularly [κ/k] ∈ {1,2}, and working with rational points in E(κ).

In the OSIDH protocol outlined below, we propose the use of an effective CM order 𝓞_K of class number 1. In particular every prime 𝔮 of norm q is generated by an endomorphism of the minimal degree q. For example we may take 𝓞_K to be the Eisenstein or Gaussian integers of discriminant −3 or −4, generated by an automorphism. The kernel polynomial of degree (q − 1)/2 can be computed directly without need for a splitting field for E[𝔮], and the computation of a generator isogeny is a one-time precomputation. Using an analog of the construction of division polynomials, the computation of the kernel polynomial requires O(q) field operations.

Push forward isogenies

The extension of an isogeny (or, as we will see in the next section, of an endomorphism) of E₀ to an ℓ-isogeny chain (E_i, ϕ_i) reduces to the construction of a ladder. At each step we are given ϕ_i : E_i → E_i+1 and ψ_i : E_i → F_i of coprime degrees, and need to compute

ψi+1:Ei+1→Fi+1 and ϕi′:Fi→Fi+1.

Rather than working with elliptic curves and isogenies, we construct the oriented graphs directly as points on a modular curve linked by modular correspondences defined by modular polynomials.

Modular curves and isogenies

The use of modular curves for efficient computation of isogenies has an established history (see Elkies [14]). For this purpose we represent isogeny chains and ladders as finite sequences of points on the modular curve 𝓧 = X(1) preserving the relations given by a modular equation.

We recall that the modular curve X(1) ≅ ℙ¹ classifies elliptic curves up to isomorphism, and the function j generates its function field. The family of elliptic curves

E:y2+xy=x3−36(j−1728)x−1(j−1728)

covers all isomorphism classes j ≠ 0, 12³ or ∞, such that the fiber over j₀ ∈ k is an elliptic curve of j-invariant j₀. The curves y² + y = x³ and y² = x³ + x deal with the cases j = 0 and j = 1728.

The modular polynomial Φ_m(X, Y) defines a correspondence in X(1) × X(1) such that Φ_m(j(E),j(E′)) = 0 if and only if there exists a cyclic m-isogeny ϕ from E to E′, possibly over some extension field. The curve in X(1) × X(1) cut out by Φ_m(X, Y) = 0 is a singular image of the modular curve X₀(m) parametrizing such pairs (E, ϕ).

Remark

The modular curve X(1) can be replaced by any genus 0 modular curve 𝓧 parametrizing elliptic curves with level structure. Lifting the modular polynomials back to 𝓧 of higher level (but still genus 0) has an advantage of reducing the coefficient size of the corresponding modular polynomials Φ_m(X, Y).

In the case of CSIDH, the authors use 𝓧 = X₀(4), with a modular function a ∈ k(X₀(4)) to parametrize the family of curves

E:y2=x(x2+ax+1),

together with a cyclic subgroup C ⊂ E of order 4, whose generators are cut out by x = 1. The map 𝓧 → X(1) is given by

j=28(a2−3)3(a−2)(a+2)⋅

The approach via modular isogenies of this section can be adapted as well to the CSIDH protocol.

Definition 4.1

Amodularℓ-isogeny chain of lengthnoverkis a finite sequence (j₀, j₁, …, j_n) inksuch thatΦ_ℓ(j_i, j_i+1) = 0 for 0 ≤ i < n. Amodularℓ-ladder of lengthnand degreeqoverkis a pair of modularℓ-isogeny chains

(j0,j1,…,jn)and(j0′,j1′,…,jn′),

such thatΦ_q(j_i, j′_i) = 0.

Clearly an ℓ-isogeny chain (E_i, ϕ_i) determines the modular ℓ-isogeny chain (j_i = j(E_i)), but the converse is equally true.

Proposition 4.2

If (j₀, …, j_n) is a modularℓ-isogeny chain overk, andE₀/kis an elliptic curve withj(E₀) = j₀, then there exists anℓ-isogeny chain (E_i, ϕ_i) such thatj_i = j(E_i) for all 0 ≤ i ≤ n.

Given any modular ℓ-isogeny chain (j_i), elliptic curve E₀ with j(E₀) = j₀, and isogeny ψ₀ : E₀ → F₀, it follows that we can construct an ℓ-ladder ψ : (E_i, ϕ_i) → (F_i, ϕ′_i) and hence a modular ℓ-isogeny ladder. In fact the ℓ-ladder can be efficiently constructed recursively from the modular ℓ-isogeny chain (j₀, …, j_n) and (j′₀, …, j′_n), by solving the system of equations

Φℓ(ji′,Y)=Φq(ji+1,Y)=0,

for Y = j′_i+1.

Remark

The modular polynomial Φ_q(X, Y) is degree q + 1 in X and Y. The evaluation at X = j ∈ 𝔽_p² requires O(q²) field multiplications. The subsequent gcd requires O(ℓ q) operations, and these operations are repeated to depth n.

5 OSIDH

We consider an elliptic curve E₀/k (k = 𝔽_p²) with an 𝓞_K-orientation by an effective ring 𝓞_K of class number 1, e.g. j = 0 or j = 12³ (for which 𝓞_K = ℤ[ζ₃] or ℤ[i]), small prime ℓ, and a descending ℓ-isogeny chain from E₀ to E = E_n. The 𝓞_K-orientation on E₀ and ℓ-isogeny chain induces isomorphisms

ιi:Z+ℓiOK→Oi⊂End(Ei),

and we set 𝓞 = 𝓞_n. By hypothesis on E₀/k (the class number of 𝓞_K is 1), any horizontal isogeny ψ₀ : E₀ → F₀ is, up to isomorphism F₀ ≅ E₀, an endomorphism.

For a small prime q, we push forward a q-endomorphism ϕ₀ ∈ End(E₀), to a q-isogeny ψ : (E_i, ϕ_i) → (F_i, ϕ′_i).

By sending 𝔮 ⊂ 𝓞_K to ψ₀ : E₀ → F₀ = E₀/E₀[𝔮] ≅ E₀, and pushing forward to ψ_n : E_n → F_n, we obtain the effective action of 𝓒ℓ(𝓞) on ℓ-isogeny chains of length n from E₀. In other words, the action of an ideal 𝔮 becomes non trivial while pushing it down along a descending isogeny chain due to the fact that 𝔮 ∩ 𝓞_i becomes “less and less principal”.

In order to have the action of 𝓒ℓ(𝓞) cover a large portion of the supersingular elliptic curves, we require ℓⁿ ∼ p, i.e., n ∼ log_ℓ(p).

Recall

The previous estimates are based on two very important results. Observe that the number of oriented elliptic curves that we can reach after n steps equals the class number h(𝓞_n) of 𝓞_n = ℤ+ℓⁿ𝓞_K. It is well-known [10, § 7.D] that:

h(Z+mOK)=h(OK)mOK×:O×∏p∣m1−ΔKp1p(1)

where [8, VI.3]

OK×={±1}if ΔK<−4{±1,±i}if ΔK=−4{±1,±ζ3,±ζ32}if ΔK=−3⇒OK×:O×=1if ΔK<−42if ΔK=−43if ΔK=−3

On the other hand, we know that the number of supersingular elliptic curves over 𝔽_p² is given by the following formula [28, V.4]:

#SS(p)=p12+0if p≡1mod121if p≡5,7mod122if p≡11mod12

Therefore, in our case

h(ℓnOK)=1⋅ℓn2 or 31−ΔKℓ1ℓ=p12+ϵ⟹p∼ℓn

To realise the class group action, it suffices to replace the above ℓ-ladder with its modular ℓ-ladder.

At the first index for which j′_i = j(E_i/E_i[𝔮_i]) is different from j″_i = j(E_i/E_i[𝔮̄_i]), that is, [𝔮_i] ≠ [𝔮̄_i] in 𝓒ℓ(𝓞_i), we can solve iteratively for j′_i+1 from j′_i and j_i+1 using the equations:

Φℓ(ji′,Y)=Φq(ji+1,Y)=0.

The action of primes 𝔮 through 𝓒ℓ(𝓞) can be precomputed by its action on these initial segments which permits us to separate the action of 𝔮 and 𝔮̄, hence assures a unique solution to the above system.

Thus, E′_i ≠ E″_i if and only if 𝔮² ∩ 𝓞_i is not principal and the probability that a random ideal in 𝓞_i is principal is 1/h(𝓞_i). In fact, we can do better; we write 𝓞_K = ℤ[ω] and we observe that if 𝔮² was principal, then

q2=N(q2)=N(a+bℓiω)

since it would be generated by an element of 𝓞_i = ℤ+ℓⁱ𝓞_K. Now

N(a+bℓi)=a2±abtℓi+b2sℓ2iwhereω2+tω+s=0

Thus, as soon as ℓ²ⁱ > q² we are guaranteed that 𝔮² is not principal.

5.1 A first naive protocol

We now present the OSIDH cryptographic protocol based on this construction. We first describe a simplified version as intermediate step. The reason for doing that is twofold. On one hand it permits us to observe how the notions introduced so far lead to a cryptographic protocol, and on the other hand it highlights the critical security considerations and identifies the computationally hard problems on which the security is based.

As described at the beginning of the section, we fix a maximal order 𝓞_K in a quadratic imaginary field K of small discriminant Δ_K and a large prime p such that ΔKp≠1. Further, the two parties agree on an elliptic curve E₀ with effective maximal order 𝓞_K embedded in the endomorphism ring and a descending ℓ-isogeny chain:

E0⟶E1⟶E2⟶⋯⟶En.

Each constructs a power smooth horizontal endomorphism ψ of E₀ as the product of generators of small principal ideals in 𝓞_K. A power smooth isogeny, for which the prime divisors and exponents of its degree are bounded, ensures that ψ can be efficiently extended to a ladder.

Remark

In practice, we will fix 𝓞_K to be either the Eisenstein integers ℤ[ζ₃] or the Gaussian integers ℤ[ζ₄] ( = ℤ[i]). Since the ladder is descending, we have that End((E_i, ι_i)) ≅ ℤ+ℓⁱ𝓞_K for all i = 0, …, n.

Alice privately chooses a horizontal power smooth endomorphism ψ_A = ψ₀ : E₀ → F₀ = E₀, and pushes it forward to an ℓ-ladder of length n:

By Lemma 2.6, this ℓ-ladder is level, hence End((E_i, ι_i)) = End((F_i, ι′_i)).

The ℓ-isogeny chain (F_i) is sent to Bob, who chooses a horizontal smooth endomorphism ψ_B, and sends the resulting ℓ-isogeny chain (G_i) to Alice. Each applies (and, eventually, push forward) the private endomorphism to obtain (H_i) = ψ_B ⋅ (F_i) = ψ_A ⋅ (G_i), and H = H_n is the shared secret.

In the following picture the blue arrows correspond to the orientation chosen throughout by Alice while the red ones represent the choice made by Bob.

PUBLIC DATA: A descending ℓ-isogeny chain E₀ → E₁ → ⋯ → E_n

	ALICE	BOB
Choose a smooth endomorphism of E₀ in 𝓞_K
Push it forward to depth n Exchange data
Compute shared secret	Compute ψ_A ⋅ (G_i)	Compute ψ_B ⋅ (F_i)

In the end, Alice and Bob share a new chain E₀ → H₁ → ⋯ → H_n

This naive protocol reveals too much information and is susceptible to attack by computing the endomorphism rings of the end curves End(E_n), End(F_n), and End(G_n). In general, the problem of computing an isogeny between two supersingular elliptic curves E and F knowing End(E) is broadly equivalent to the task of computing End(F) [13, 17]. Kohel’s algorithm [19], and the refinement of Galbraith [16], compute several paths in the isogeny graph to find isogenies F → F. Thus, as noted in [17], computing End(F) can be reduced to finding an endomorphism ϕ : F → F that is not in ℤ[π].

Remark

Observe that in SIDH and CSIDH the endomorphism ring of the starting elliptic curve is known since the shared initial curve is chosen to have special form. In OSIDH the situation changes: we need to find an isogeny starting from E_n, and not the curve E₀ for which we have an explicit description of the endomorphism ring. However, knowing End(E₀), we can deduce at each step

Z+ℓEnd(Ei)≅Z+ϕiEnd(Ei)ϕ^i⊂End(Ei+1)

and thus we obtain the inclusion ℤ+ℓⁿEnd(E₀) ↪ End(E_n).

Notice that, in general, knowing the existence of a copy of an imaginary quadratic order inside the maximal order of a quaternion algebra does not guarantee the knowledge of the embedding as there might be many [12, II.5]. In this case, from the knowledge of a subring ℤ+ℓEnd(E_i) of finite index ℓ³ we can reconstruct End(E_i+1) step-by-step from the ℓ-isogeny chain E₀ → E₁ → … → E_n, and hence compute End(E_n).

In the naive protocol we also share the full isogeny chain (F_i) (or their j-invariant sequence), which allows an adversary to deduce the oriented endomorphism ring

Z+ℓnOK↪End(Fn)

of the terminal elliptic curve F = F_n. This gives enough information to deduce Hom(E, F) and construct a representative smooth ideal in 𝓒ℓ(O) sending E to F.

We observe that there is another approach to this problem which uses only properties of the ideal class group. Suppose we have a K-descending ℓ-isogeny chain E₀ ⟶ E₁ ⟶ … ⟶ E_n with

End(E0)⊋OK=O0⊃O1⊃…⊃On≃Z+ℓnOK

This induces a sequence at the level of class groups

In particular, there exists a surjection

Cℓ(Oi+1)≃OK/ℓi+1OK×O¯K×Z/ℓi+1Z×⟶→OK/ℓiOK×O¯K×Z/ℓiZ×≃Cℓ(Oi)

whose kernel is easily described. First, the map ψ : 𝓒ℓ(𝓞₁) → 𝓒ℓ(𝓞_K) has kernel

Fℓ2×/Fℓ×of order ℓ+1if ℓ is inertFℓ××Fℓ×/Fℓ×of order ℓ−1if ℓ splitsFℓξ×/Fℓ×of order ℓif ℓ is ramified

where ξ² = 0 (see [10, §7.D] and [22, § 12]). Thereafter, for each i > 1, the surjection 𝓒ℓ(𝓞_i+1) → 𝓒ℓ(𝓞_i) has cyclic kernel of order ℓ by virtue of the class number formula (1), and hence we have a short exact sequence

1→Z/ℓZ→Cℓ(Oi+1)→Cℓ(Oi)→1

Thus if we have already constructed some representative for ψ_A modulo ℓⁱ𝓞_K, we can lift it to find ψ_Amodℓⁱ⁺¹𝓞_K from ℓ possible preimages. For each candidate lift ψ_Amodℓⁱ⁺¹𝓞_K, we search for an smooth representative

ψA≡ψ1e1ψ2e2⋅…⋅ψtetmodℓi+1OK

with deg(ψ_j) = q_j small. The candidate smooth lift can be applied to E_i+1 and the correct lift is that which sends E_i+1 to F_i+1 in the ℓ-isogeny chain (see Figure 6). This yields an algorithm involving multiple instances of the discrete logarithm problem in a group of order ℓ as in Pohlig-Hellman algorithm [23] and in the generalization of Teske [29].

Figure 6

Construction of Alice’s secret key

In conclusion, this naïve protocol is insecure because two parties share the knowledge of the entire chains (F_i) and (G_i). The question becomes: how can we avoid sharing the ℓ-isogeny chains while still giving the other party enough information to carry out their isogeny walk?

5.2 The OSIDH protocol

We now detail how to send enough public data to compute the isogenies ψ_A and ψ_B on G = G_n and F = F_n, respectively, without revealing the ℓ-isogeny chains (F_i) and (G_i). The setup remains the same with a public choice of 𝓞_K-oriented elliptic curve E₀ and ℓ-isogeny chain

E0→E1→⋯→En.

Moreover, a set of primes 𝔮₁, …, 𝔮_t (above q₁, …, q_t) splitting in 𝓞_K is fixed.

The first step consists of choosing the secret keys; these are represented by a sequence of integers (e₁, …, e_t) such that ∣e_i∣ ≤ r. The bound r is taken so that the number (2r+1)^t of curves that can be reached is sufficiently large. This choice of integers enables Alice to compute a new elliptic curve

Fn=EnEn[q1e1⋯qtet]

by means of constructing the following commutative diagram

Remark

Observe that this is just a union of q_i-ladders.

At this point the idea is to exchange curves F_n and G_n and to apply the same process again starting from the elliptic curve received from the other party. Unfortunately, this is not enough to get to the same final elliptic curve. Once Alice receives the unoriented curve G_n computed by Bob she also needs additional information for each prime 𝔮_i:

but she has no information as to which directions — out of q_i + 1 total q_i-isogenies — to take as 𝔮_i and 𝔮̄_i. For this reason, once that they have constructed their elliptic curves F_n and G_n, they precompute, for each prime 𝔮_i, the q_i-isogeny chains coming from q¯ij (denoted by the class qi−j) and qij:

Fn,i(−r)←⋯←Fn,i(−1)←Fn→Fn,i(1)→⋯→Fn,i(r−1)→Fn,i(r)

and

Gn,i(−r)←⋯←Gn,i(−1)←Gn→Gn,i(1)→⋯→Gn,i(r−1)→Gn,i(r)

Now Alice obtains from Bob the curve G_n and, for each i, the horizontal q_i-isogeny chains determined by the isogenies with kernels Gn[qij]. With this information Alice can take e₁ steps in the 𝔮₁-isogeny chain and push forward all the 𝔮_i-isogeny chains for i > 1.

Remark

We recall that pushing forward means constructing a ladder which transmits all the information about the commutative action of qiei in the class group.

Alice repeats the process for all the 𝔮′_is every time pushing forward the isogenies for the primes with index strictly bigger than i. Finally, she obtains a new elliptic curve

Hn=EnEn[q1e1+d1⋯qtet+dt]

Bob follows the same process with the public data received from Alice, in order to compute the same curve H_n. Recall that, in the naive protocol, Alice and Bob compute the group action on the full ℓ-isogeny chains:

In the refined OSIDH protocol, Alice and Bob share sufficient information to determine the curve H_n without knowledge of the other party’s ℓ-isogeny chain (G_i) and (F_i), nor the full ℓ-isogeny chain (H_i) from the base curve E₀.

Figure 7

Graphic representation of OSIDH

PUBLIC DATA: A descending ℓ-isogeny chain E₀ → E₁ → ⋯ → E_n and a set of splitting primes 𝔮₁, …, 𝔮_t ⊆ 𝓞 = End(E_n) ∩ K ↪ 𝓞_K

	ALICE	BOB
Choose integers in an interval [−r, r]	(e₁, …, e_t)	(d₁, …, d_t)
Construct an isogenous curve	Fn=EnEn[q1e1⋯qtet]	Gn=EnEn[q1d1⋯qtdt]
Precompute all directions ∀ i	Fn→Fn,i(1)→⋯→Fn,i(r)	Gn→Gn,i(1)→⋯→Gn,i(r)
… and their conjugates Exchange data
Compute shared data	Takes e_i steps in 𝔮_i-isogeny chain & push forward information for all j > i.	Takes d_i steps in 𝔮_i-isogeny chain & push forward information for all j > i.
In the end, Alice and Bob share the same elliptic curve
Hn=FnFn[q1d1⋯qtdt]=GnGn[q1e1⋯qtet]=EnEn[q1e1+d1⋯qtet+dt]⋅

Remark

We can read this scheme using the terminology of section 3.

After the choice of the secret key, we observe a vortex: Alice (respectively Bob) acts on an isogeny crater (that in the case of 𝓞_K = ℤ[ζ₃] or ℤ[i] consists of a single points) with the primes q1e1⋅…⋅qtet (respectively q1d1⋅…⋅qtdt).

This action is eventually transmitted along the ℓ-isogeny chain and we get a whirlpool. We can think of the isogeny volcano as rotating under the action of the secret keys and the initial ℓ-isogeny path transforming into the two secret isogeny chains.

6 Security considerations

In order to ensure security of the system, we have seen that the data giving the orientation must remain hidden. A second consideration is the proportion of curves attained by the action of the class group 𝓒ℓ(𝓞), and by the private walks ψ_A and ψ_B of Alice and Bob in that class group. The size of the orbit of 𝓒ℓ(𝓞) is controlled by the chain length n, and the number of curves attained by the private walks is further limited by the prime power data, up to exponent bounds, which we allow ourselves to transmit.

Chain length

Suppose that (E_i) is an isogeny chain of length n, from a supersingular elliptic curve E₀ oriented by 𝓞_K of class number one, and consider

Hom(E0,En)=ϕOK+ψOK.

As a quadratic module with respect to the degree map, its determinant is p². If the length n is of sufficient length such that E_n represents a general curve in SS(p), then a set of reduced basis elements ϕ and ψ satisfies

deg⁡(ϕ)≈deg⁡(ψ)≈p.

Now suppose that ϕ : E₀ → E_n is the isogeny giving the ℓ-isogeny chain. If deg(ϕ) = ℓⁿ is less than p, then ϕ𝓞_K is a submodule generated by short isogenies, and E_n is special. We conclude that we must choose n to be at least log_ℓ(p)/2 in order to avoid an attack which seeks to determine ϕ𝓞_K as a distinguished submodule of low degree isogenies.

We extend this argument to consider the logarithmic proportion λ of supersingular elliptic curves we can reach. In order to cover p^λ supersingular curves, out of ∣SS(p)∣ = p/12 + ε_p curves, deg(ϕ) must be such that

|Cℓ(O)|=OK/ℓnOK∗OK∗(Z/ℓnZ)∗≈ℓn=deg⁡(ϕ)≈pλ.

In particular, choosing λ = 1, we find that n = log_ℓ(p) is the critical length for reaching all supersingular curves.

Degree of private walks

Suppose now that E = E_n is a generic supersingular curve and F another. Without an 𝓞_K-module structure, we have a basis {ψ₁, ψ₂, ψ₃, ψ₄} such that

Hom(E,F)=Zψ1+Zψ2+Zψ3+Zψ4.

Assuming that E and F are generic relative to one another, a reduced basis satisfies deg(ψ_i) ≈ p, as above. Thus the private walk ψ_A should satisfy

logp⁡(deg⁡(ψA))≥12

in order that ℤψ_A is not a distinguished submodule of Hom(E, F). This critical distance is the maximal that can be attained by the SIDH protocol.

As above, another measure of the generality of ψ_A is the number of curves that can be reached by different choices of the isogeny ψ_A. For a fixed degree m, the number of curves which can be attained is

|P(E[m])|≅|P1(Z/mZ)|≈m.

For the SIDH protocol, on has ℓAnA≈ℓBnB≈p, and only p curves out of p/12 can be reached.

In the CSIDH or OSIDH protocols, the degree of the isogeny is not fixed. The total number of isogenies of any degree d up to m is

∑d=1m|P(E[d])|≈m2,

but the choice of ψ_A is restricted to a subset of 𝓞-oriented isogenies in 𝓒ℓ(𝓞). Such isogenies are restricted to a class proportional to m. Specifically, in the OSIDH construction, if we let S_m ⊂ 𝓞_K be the set of endomorphisms of degree up to m, and consider the map

Sm⊂OK⟶(OK/ℓnOK)∗OK∗(Z/ℓnZ)∗≅Cℓ(O).

Since ∣S_m∣ ≈ m, to cover a subset of p^λ classes, we need log_p(deg(ψ_A)) ≥ λ.

Private walk exponents

In practice, rather than bounding the degree, for efficient evaluation one fixes a subset of small split primes, and the space of exponent vectors is bounded. The instantiation CSIDH-512 (see [5]) uses a prime of 512 bits such that for each of 74 primes one has a choice of 11 exponents in [−5, 5]. This gives 256 bits of freedom which is of the order of magnitude to cover h(−p) ≈ p classes (up to logarithmic factors). In this instance the class number h(−p) was computed [2] and found to be 252 bits.

For the general OSIDH construction, we choose exponent vectors (e₁, …, e_t) in the space I₁ × ⋯ × I_t ⊂ ℤ^t, where I_j = [−r_j, r_j], defining ψ_A with kernel

ker⁡(ψA)=E[q1e1⋯qtet].

We thus express the map to SS(p) as the composite of the map of exponent vectors to the class group and the image of 𝓒ℓ(𝓞):

∏j=1tIj⟶Cℓ(O)⟶SS(p).

In order to avoid revealing any cycles, we want the former map to be effectively injective — either injective or computationally difficult to find a nontrivial element of the kernel in

(I1×⋯×It)∩ker⁡(Zt→Cℓ(O)).

In order to cover as many classes as possible, the latter should be nearly surjective. Supposing that the former map is injective with image of size p^λ in SS(𝓞), this gives pλ<∏j=1t(2rj+1)<|Cℓ(O)|≈ℓn. For fixed r = r_j, this gives

n>tlogℓ⁡(2r+1)>λlogℓ⁡(p).

Setting λ = 1, ℓ = 2 and log_ℓ(p) = 256, the parameters t = 74 and r = 5 give critical values as in CSIDH-512, with group action mapping to the full set of supersingular points SS(p).

7 Conclusion

By imposing the data of an orientation by an imaginary quadratic ring 𝓞, we obtain an augmented category of supersingular curves on which the class group 𝓒ℓ(𝓞) acts faithfully and transitively. This idea is already implicit in the CSIDH protocol, in which supersingular curves over 𝔽_p are oriented by the Frobenius subring Z[π]≅Z[−p]. In contrast we consider an elliptic curve E₀ oriented by a CM order 𝓞_K of class number one. To obtain a nontrivial group action, we consider descending ℓ-isogeny chains in the ℓ-volcano, on which the class group of an order 𝓞 of large index ℓⁿ in 𝓞_K acts. The map from an ℓ-isogeny chain to its terminal node forgets the structure of the orientation, giving rise to a generic curve in the supersingular isogeny graph. Within this general framework we define a new oriented supersingular isogeny Diffie-Hellman (OSIDH) protocol, which has fewer restrictions on the proportion of supersingular curves covered and on the torsion group structure of the underlying curves. Moreover, the group action can be carried out effectively solely on the sequences of modular points (such as j-invariants) on a modular curve, thereby avoiding expensive isogeny computations, and is further amenable to speedup by precomputations of endomorphisms on the base curve E₀.

References

[1] J.F. Biasse, D. Jao and A. Sankar. A quantum algorithm for computing isogenies between supersingular elliptic curves, In International Conference in Cryptology in India (2014), Springer, 428–442.10.1007/978-3-319-13039-2_25Search in Google Scholar

[2] W. Beullens, T. Kleinjung and F. Vercauteren. CSI-FiSh: Efficient isogeny based signatures through class group computations, https://eprint.iacr.org/2019/498.pdf.10.1007/978-3-030-34578-5_9Search in Google Scholar

[3] A. Bostan, F. Morain, B. Salvy and É. Schost. Fast algorithms for computing isogenies between elliptic curves, In Mathematics of Computation77 (2008), 1755–1778.10.1090/S0025-5718-08-02066-8Search in Google Scholar

[4] R. Bröker, D. Charles and K. Lauter. Evaluating Large Degree Isogenies and Applications to Pairing Based Cryptography, In Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008, Lecture Notes in Computer Science5209 (2008), Springer, 100–112.10.1007/978-3-540-85538-5_7Search in Google Scholar

[5] W. Castryck, T. Lange, C. Martindale, L. Panny, and J. Renes. CSIDH: an efficient post-quantum commutative group action, In Advances in Cryptology - ASIACRYPT 2018, Lecture Notes in Computer Science11274 (2018), Springer, 395–427.10.1007/978-3-030-03332-3_15Search in Google Scholar

[6] D. Charles, E. Goren, and C. Lauter. Cryptographic hash functions from expander graphs, J. Cryptography22 (2009), 93–113.10.1007/s00145-007-9002-xSearch in Google Scholar

[7] A. Childs, D. Jao, and V. Soukharev. Constructing elliptic curve isogenies in quantum subexponential time, In Journal of Mathematical Cryptology8 (2014), 1–29.10.1515/jmc-2012-0016Search in Google Scholar

[8] H. Cohn. Advanced Number Theory, Courier Corporation, 1980.10.1007/978-1-4899-0399-0Search in Google Scholar

[9] J.M. Couveignes. Hard Homogeneous Spaces, In IACR Cryptology ePrint Archive 2006/291 (2006), https://eprint.iacr.org/2006/291.Search in Google Scholar

[10] D.A. Cox. Primes of the form x² + ny² : Fermat, class field theory, and complex multiplication, In Pure and applied mathematics, Wiley, 1997.10.1002/9781118032756Search in Google Scholar

[11] L. De Feo, J. Kieffer, and B. Smith. Towards practical key exchange from ordinary isogeny graphs, In Advances in Cryptology - ASIACRYPT 2018, Lecture Notes in Computer Science11274 (2018), Springer, 365–394.10.1007/978-3-030-03332-3_14Search in Google Scholar

[12] M. Eichler. The basis problem for modular forms and the traces of the Hecke operators. In Lecture Notes in Mathematics320 (1973), Springer, 75–152.10.1007/978-3-540-38509-7_4Search in Google Scholar

[13] K. Eisenträger, S. Hallgren, K. Lauter, T. Morrison, and C. Petit. Supersingular Isogeny Graphs and Endomorphism Rings: Reductions and Solutions, In Advances in Cryptology - EUROCRYPT 2018, J. B. Nielsen and V. Rijmen, eds., Lecture Notes in Computer Science10822 (2018), Springer, 329–368.10.1007/978-3-319-78372-7_11Search in Google Scholar

[14] N.D. Elkies. Elliptic and modular curves over finite fields and related computational issues, In Computational Perspectives in Number Theory: Conference in Honor of A. O. L. Atkin, D. A. Buell and J. T. Teitelbaum, eds., American Mathematical Society (1998), 21–76.10.1090/amsip/007/03Search in Google Scholar

[15] M. Fouquet and F. Morain. Isogeny Volcanoes and the SEA Algorithm, In Algorithmic Number Theory. ANTS 2002, C. Fieker and D. R. Kohel, eds., Lecture Notes in Computer Science2369 (2002), Springer, 276–291.10.1007/3-540-45455-1_23Search in Google Scholar

[16] S.D. Galbraith. Constructing isogenies between elliptic curves over finite fields, LMS Journal of Computation and Mathematics2 (1999), 118–138.10.1112/S1461157000000097Search in Google Scholar

[17] S.D. Galbraith and F. Vercauteren. Computational problems in supersingular elliptic curve isogenies, In Quantum Information Processing17, 265 (2018). https://eprint.iacr.org/2017/774.10.1007/s11128-018-2023-6Search in Google Scholar

[18] D. Jao and L. De Feo. Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies, In Post-Quantum Cryptography, Lecture Notes in Computer Science7071 (2011), Springer, 19–34. https://eprint.iacr.org/2011/506.10.1007/978-3-642-25405-5_2Search in Google Scholar

[19] D. Kohel. Endomorphism rings of elliptic curves over finite fields, Ph.D. thesis, U.C. Berkeley, 1996.Search in Google Scholar

[20] G. Kuperberg. A subexponential-time quantum algorithm for the dihedral hidden subgroup problem. In SIAM Journal of Computing35, 1 (2005), 170–188.10.1137/S0097539703436345Search in Google Scholar

[21] J. Miret, D. Sadornil, J. Tena, R. Tomàs and M. Valls Isogeny cordillera algorithm to obtain cryptographically good elliptic curves, In ACSW Frontiers 2007, Conferences in Research and Practice in Information Technology 68 (2007), 127–131.Search in Google Scholar

[22] J. Neukirch. Algebraische Zahlentheorie, In Masterclass, Springer Berlin Heidelberg, 1992.10.1007/978-3-540-37663-7Search in Google Scholar

[23] S.C. Pohlig, M.E. Hellman. An improved algorithm for computing logarithms over GF(p) and its cryptographic significance, In IEEE-Transactions on Information Theory24 (1978), 106–110.10.1109/TIT.1978.1055817Search in Google Scholar

[24] O. Regev. A subexponential time algorithm for the dihedral hidden subgroup problem with polynomial space, 2004. http://arxiv.org/abs/quant-ph/0406151.Search in Google Scholar

[25] A. Rostovtsev and A. Stolbunov. Public-key cryptosystem based on isogenies, In IACR Cryptology ePrint Archive 2006/145 (2006) https://eprint.iacr.org/2006/145.Search in Google Scholar

[26] R. Schoof. Quadratic fields and factorization, In Computation Methods in Number Theory, Math. Centrum Tract 154 (1982), 235–286.Search in Google Scholar

[27] G. Shimura. Abelian Varieties with Complex Multiplication and Modular Functions, Princeton Mathematical Series 46, 1998.10.1515/9781400883943Search in Google Scholar

[28] J.H. Silverman. The Arithmetic of Elliptic Curves, Springer-Verlag, 1986.10.1007/978-1-4757-1920-8Search in Google Scholar

[29] E. Teske. The Pohlig-Hellman method generalized for group structure computation, In Journal of symbolic computation11 (1999), 1–14.10.1006/jsco.1999.0279Search in Google Scholar

Received: 2019-07-15

Accepted: 2020-07-15

Published Online: 2020-10-23

This work is licensed under the Creative Commons Attribution 4.0 International License.

Orienting supersingular isogeny graphs

Abstract

1 Introduction

2 Orientations, isogeny chains, and ladders

Isogeny graphs

Lemma 2.1

Orientations

Definition 2.2

Isogeny chains and ladders

Definition 2.3

Remark

Lemma 2.4

Remark

Definition 2.5

Lemma 2.6

Remark

3 Oriented curves and class group action

Class group action

Theorem 3.1

Corollary 3.2

On vortices and whirlpools

Definition 3.3

Whirlpool examples

Example 3.4

Example 3.5

The forgetful map to unoriented isogeny graphs

Lemma 3.6

Proof

Proposition 3.7

Proof

4 Modular isogenies

Effective endomorphism rings and isogenies

Push forward isogenies

Modular curves and isogenies

Remark

Definition 4.1

Proposition 4.2

Remark

5 OSIDH

Recall

5.1 A first naive protocol

Remark

Remark

5.2 The OSIDH protocol

Remark

Remark

Remark

6 Security considerations

Chain length

Degree of private walks

Private walk exponents

7 Conclusion

References

Journal and Issue

Articles in the same Issue