Constructing elliptic curve isogenies in quantum subexponential time

TLDR: In this article, a quantum algorithm for constructing an isogeny between two elliptic curves is presented, where the isogenies from an elliptic curve E to itself form the endomorphism ring of the curve; this ring is an imaginary quadratic order O∆ of discriminant ∆ < 0.

Abstract: Quantum computation has the potential for dramatic impact on cryptography. Shor’s algorithm [16] breaks the two most widely used public-key cryptosystems, RSA encryption and elliptic curve cryptography. Related quantum algorithms could break other classical cryptographic protocols, such as Buchmann-Williams key exchange [8] and algebraically homomorphic encryption [5]. Thus there is considerable interest in understanding which classical cryptographic schemes are or are not secure against quantum attacks, both from a practical perspective and as a potential source of new quantum algorithms that outperform classical computation. While it is well known that quantum computers can efficiently solve the discrete logarithm problem in elliptic curve groups, other computations involving elliptic curves may be significantly more difficult. In particular, Couveignes [4] and Rostovtsev and Stolbunov [15, 17] proposed publickey cryptosystems based on the presumed difficulty of constructing an isogeny between two given elliptic curves. Informally, an isogeny is a map between curves that preserves their algebraic structure. Isogenies play a major role in classical computational number theory, yet as far as we are aware they have yet to be studied from the standpoint of quantum computation. In this work, we present a quantum algorithm for constructing an isogeny between two ordinary elliptic curves. The isogenies from an elliptic curve E to itself form the endomorphism ring of the curve; this ring is an imaginary quadratic order O∆ of discriminant ∆ < 0. Given two isogenous ordinary elliptic curves E0, E1 over Fq with the same endomorphism ring O∆, we show how to construct an isogeny φ : E0 → E1 (specified by its kernel, represented by a smooth ideal class [b] ∈ Cl(O∆)). The output of this algorithm is sufficient to recover the private key in all proposed isogeny-based public-key cryptosystems [4, 15, 17]. The running time of our algorithm is subexponential—specifically, assuming the Generalized Riemann Hypothesis (GRH), it runs in time L(12 , √ 3 2 ), where L( 2 , c) := exp [ (c+ o(1)) √ ln q ln ln q ] .