Constructing elliptic curve isogenies in quantum subexponential time
TLDR
In this article, a quantum algorithm for constructing an isogeny between two elliptic curves is presented, where the isogenies from an elliptic curve E to itself form the endomorphism ring of the curve; this ring is an imaginary quadratic order O∆ of discriminant ∆ < 0.Abstract:
Quantum computation has the potential for dramatic impact on cryptography. Shor’s algorithm [16] breaks the two most widely used public-key cryptosystems, RSA encryption and elliptic curve cryptography. Related quantum algorithms could break other classical cryptographic protocols, such as Buchmann-Williams key exchange [8] and algebraically homomorphic encryption [5]. Thus there is considerable interest in understanding which classical cryptographic schemes are or are not secure against quantum attacks, both from a practical perspective and as a potential source of new quantum algorithms that outperform classical computation. While it is well known that quantum computers can efficiently solve the discrete logarithm problem in elliptic curve groups, other computations involving elliptic curves may be significantly more difficult. In particular, Couveignes [4] and Rostovtsev and Stolbunov [15, 17] proposed publickey cryptosystems based on the presumed difficulty of constructing an isogeny between two given elliptic curves. Informally, an isogeny is a map between curves that preserves their algebraic structure. Isogenies play a major role in classical computational number theory, yet as far as we are aware they have yet to be studied from the standpoint of quantum computation. In this work, we present a quantum algorithm for constructing an isogeny between two ordinary elliptic curves. The isogenies from an elliptic curve E to itself form the endomorphism ring of the curve; this ring is an imaginary quadratic order O∆ of discriminant ∆ < 0. Given two isogenous ordinary elliptic curves E0, E1 over Fq with the same endomorphism ring O∆, we show how to construct an isogeny φ : E0 → E1 (specified by its kernel, represented by a smooth ideal class [b] ∈ Cl(O∆)). The output of this algorithm is sufficient to recover the private key in all proposed isogeny-based public-key cryptosystems [4, 15, 17]. The running time of our algorithm is subexponential—specifically, assuming the Generalized Riemann Hypothesis (GRH), it runs in time L(12 , √ 3 2 ), where L( 2 , c) := exp [ (c+ o(1)) √ ln q ln ln q ] .read more
Citations
More filters
Journal ArticleDOI
On the Performance Analysis for CSIDH-Based Cryptosystems
TL;DR: This paper generalizes the existence of a collision for a base prime p≡7mod8 and presents a new interval for the private key to have a similar security level for the various CSIDH-based algorithms for a fair comparison of the performance and security.
Dissertation
The non-injective hidden shift problem
TL;DR: This work shows that the average case non-injectiveHidden shift problem can be reduced to the injective hidden shift problem by giving one such reduction, and shows thatThe worst-case classical query complexity of the generalized injectivehidden shift problem over the same group is high, which implies that the classical query complex of the hidden shift problems is high.
Journal ArticleDOI
A novel quantum (t, n) threshold group signature based on d-dimensional quantum system
Mingzhu Gao,Wei Yang,Yang Liu +2 more
TL;DR: In this paper, a quantum threshold group signature scheme is proposed on a basis of d-dimensional quantum system, where n signatories form a group, and only t or more signatories can generate a valid signature on behalf of this group by means of using the cyclic characteristics of mutually unbiased bases (MUBs).
Book ChapterDOI
A Fusion Algorithm for Solving the Hidden Shift Problem in Finite Abelian Groups
TL;DR: In this paper, Peikert et al. showed that there is a quantum algorithm for solving the hidden shift problem in an arbitrary finite abelian group with time complexity in polynomial time, where the memory requirements are mostly in terms of quantum random access classical memory.
Proceedings ArticleDOI
Secure Delegation of Isogeny Computations and Cryptographic Applications
Robi Pedersen,Osmanbey Uzunkol +1 more
TL;DR: In this article, the problem of speeding up isogeny computation for supersingular elliptic curves over finite fields using untrusted computational resources like third party servers or cloud service providers was addressed.
References
More filters
Journal ArticleDOI
Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer
TL;DR: In this paper, the authors considered factoring integers and finding discrete logarithms on a quantum computer and gave an efficient randomized algorithm for these two problems, which takes a number of steps polynomial in the input size of the integer to be factored.
Journal ArticleDOI
Reducing elliptic curve logarithms to logarithms in a finite field
TL;DR: The main result of the paper is to demonstrate the reduction of the elliptic curve logarithm problem to the logarathm problem in the multiplicative group of an extension of the underlying finite field, thus providing a probabilistic subexponential time algorithm for the former problem.
Journal ArticleDOI
Endomorphisms of Abelian Varieties over Finite Fields.
TL;DR: In this paper, it was shown that HOmk(A', A") is a free module of rank 2g over the ring Z l of l-adic integers, and the canonical map is Z-free.
Book
Primes of the Form x2 + ny2: Fermat, Class Field Theory, and Complex Multiplication
Abstract: FROM FERMAT TO GAUSS. Fermat, Euler and Quadratic Reciprocity. Lagrange, Legendre and Quadratic Forms. Gauss, Composition and Genera. Cubic and Biquadratic Reciprocity. CLASS FIELD THEORY. The Hilbert Class Field and p = x 2 + ny 2 . The Hilbert Class Field and Genus Theory. Orders in Imaginary Quadratic Fields. Class Fields Theory and the Cebotarev Density Theorem. Ring Class Field and p = x 2 + ny 2 . COMPLEX MULTIPLICATION. Elliptic Functions and Complex Multiplication. Modular Functions and Ring Class Fields. Modular Functions and Singular j--Invariants. The Class Equation. Ellpitic Curves. References. Index.
Journal ArticleDOI
Abelian varieties over finite fields
TL;DR: Gauthier-Villars as mentioned in this paper implique l'accord avec les conditions générales d'utilisation (http://www.numdam.org/conditions).
Related Papers (5)
Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies
David Jao,Luca De Feo +1 more