Constructing elliptic curve isogenies in quantum subexponential time
TLDR
In this article, a quantum algorithm for constructing an isogeny between two elliptic curves is presented, where the isogenies from an elliptic curve E to itself form the endomorphism ring of the curve; this ring is an imaginary quadratic order O∆ of discriminant ∆ < 0.Abstract:
Quantum computation has the potential for dramatic impact on cryptography. Shor’s algorithm [16] breaks the two most widely used public-key cryptosystems, RSA encryption and elliptic curve cryptography. Related quantum algorithms could break other classical cryptographic protocols, such as Buchmann-Williams key exchange [8] and algebraically homomorphic encryption [5]. Thus there is considerable interest in understanding which classical cryptographic schemes are or are not secure against quantum attacks, both from a practical perspective and as a potential source of new quantum algorithms that outperform classical computation. While it is well known that quantum computers can efficiently solve the discrete logarithm problem in elliptic curve groups, other computations involving elliptic curves may be significantly more difficult. In particular, Couveignes [4] and Rostovtsev and Stolbunov [15, 17] proposed publickey cryptosystems based on the presumed difficulty of constructing an isogeny between two given elliptic curves. Informally, an isogeny is a map between curves that preserves their algebraic structure. Isogenies play a major role in classical computational number theory, yet as far as we are aware they have yet to be studied from the standpoint of quantum computation. In this work, we present a quantum algorithm for constructing an isogeny between two ordinary elliptic curves. The isogenies from an elliptic curve E to itself form the endomorphism ring of the curve; this ring is an imaginary quadratic order O∆ of discriminant ∆ < 0. Given two isogenous ordinary elliptic curves E0, E1 over Fq with the same endomorphism ring O∆, we show how to construct an isogeny φ : E0 → E1 (specified by its kernel, represented by a smooth ideal class [b] ∈ Cl(O∆)). The output of this algorithm is sufficient to recover the private key in all proposed isogeny-based public-key cryptosystems [4, 15, 17]. The running time of our algorithm is subexponential—specifically, assuming the Generalized Riemann Hypothesis (GRH), it runs in time L(12 , √ 3 2 ), where L( 2 , c) := exp [ (c+ o(1)) √ ln q ln ln q ] .read more
Citations
More filters
Book ChapterDOI
CSIDH: an efficient Post-Quantum Commutative Group Action
TL;DR: The Diffie–Hellman scheme resulting from the group action allows for public-key validation at very little cost, runs reasonably fast in practice, and has public keys of only 64 bytes at a conjectured AES-128 security level, matching NIST’s post-quantum security category I.
Book ChapterDOI
Efficient Algorithms for Supersingular Isogeny Diffie-Hellman
TL;DR: This paper proposes a new suite of algorithms that significantly improve the performance of supersingular isogeny Diffie-Hellman SIDH key exchange and presents a full-fledged implementation of SidH that is geared towards the 128-bit quantum and 192-bit classical security levels.
Journal ArticleDOI
Towards Post-Quantum Blockchain: A Review on Blockchain Cryptography Resistant to Quantum Computing Attacks
TL;DR: Current state of the art on post-quantum cryptosystems and how they can be applied to blockchains and DLTs are studied, as well as their main challenges.
Book ChapterDOI
On the Security of Supersingular Isogeny Cryptosystems
TL;DR: In this paper, the authors studied cryptosystems based on supersingular isogenies, and showed that the security of all schemes of this type depends on the difficulty of computing the endomorphism ring of a superingular elliptic curve.
Book ChapterDOI
CSI-FiSh: Efficient Isogeny Based Signatures Through Class Group Computations
TL;DR: In this paper, a new record class group computation of an imaginary quadratic field having 154-digit discriminant, surpassing the previous record of 130 digits, was reported.
References
More filters
Journal ArticleDOI
Quantum Computation and Lattice Problems
TL;DR: This work presents the first explicit connection between quantum computation and lattice problems and a solution to the unique shortest vector problem (SVP) under the assumption that there exists an algorithm that solves the hidden subgroup problem on the dihedral group by coset sampling.
Book ChapterDOI
Extending the GHS Weil Descent Attack
TL;DR: In this article, the authors extend the Weil descent attack due to Gaudry, Hess and Smart (GHS) to a much larger class of elliptic curves, and show that a larger proportion than previously thought of elliptic curves over F2155 should be considered weak.
Journal ArticleDOI
Polynomial-time quantum algorithms for Pell's equation and the principal ideal problem
TL;DR: This work gives polynomial-time quantum algorithms for three problems from computational algebraic number theory, including Pell's equation, the principal ideal problem in real quadratic number fields, and the one-way function underlying the Buchmann--Williams key exchange system.
Journal ArticleDOI
Constructing public- key cryptographic schemes based on class group action on a set of isogenous elliptic curves
TL;DR: This work proposes a public-key encryption scheme and key agreement protocols based on a group action on a set and introduces a novel way of using elliptic curves for constructing asymmetric cryptography.
Journal ArticleDOI
Constructing Isogenies between Elliptic Curves Over Finite Fields
TL;DR: The goal of this paper is to describe a probabilistic algorithm for constructing an isogeny over a finite field Fp that is efficient in certain situations (that is, when the class number of the endomorphism ring is small).
Related Papers (5)
Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies
David Jao,Luca De Feo +1 more