Keywords

1 Introduction

Isogeny-based protocols form one of the youngest and least-explored families of post-quantum candidate cryptosystems. The best-known isogeny-based protocol is Jao and De Feo’s SIDH key exchange [36], from which the NIST candidate key-encapsulation mechanism SIKE was derived [4, 53]. SIDH was itself inspired by earlier key-exchange constructions by Couveignes [19] and Rostovtsev and Stolbunov [57, 61, 62], which were widely considered unwieldy and impractical.

Indeed, the origins of isogeny-based cryptography can be traced back to Couveignes’ “Hard Homogeneous Spaces” manuscript, that went unpublished for ten years before appearing in [19]. A principal homogeneous space (PHS) for a group G is a set X with an action of G on X such that for any \(x,x'\in X\), there is a unique \(g\in G\) such that \(g\cdot x = x'\). Equivalently, the map \({\varphi }_x: g\mapsto g\cdot x\) is a bijection between G and X for any \(x\in X\). Couveignes defines a hard homogeneous space (HHS) to be a PHS where the action of G on X is efficiently computable, but inverting the isomorphism \({\varphi }_x\) is computationally hard for any x.

figure a

Any HHS X for an abelian group G can be used to construct a key exchange based on the hardness of inverting \(\varphi _x\), as shown in Algorithms 1 and 2. If Alice and Bob have keypairs \((g_A,x_A)\) and \((g_B,x_B)\), respectively, then the commutativity of G lets them derive a shared secret

The analogy with classic group-based Diffie–Hellman is evident.

figure b

For example, if \(X=\langle {x}\rangle \) is cyclic of order p and \(G=(\mathbb {Z}/p\mathbb {Z})^*\) acts on \(X\setminus \{1\}\) by \(g{\cdot }x=x^g\), then inverting \({\varphi }_x\) is the discrete logarithm problem (DLP) in X. But inverting \({\varphi }_x\) for other homogeneous spaces may not be related to any DLP, and might resist attacks based on Shor’s quantum algorithm. Similar ideas have occasionally appeared in the literature in different forms [40, 48].

Couveignes viewed HHS chiefly as a general framework encompassing various Diffie–Hellman-like systems. Nevertheless, he suggested using a specific HHS based on the theory of complex multiplication of elliptic curves, in a sense generalizing Buchmann and Williams’ class-group-based Diffie–Hellman key exchange [10]. Independently, Rostovtsev and Stolbunov proposed in [57] a public key encryption scheme based on the same HHS. Later, Stolbunov [62] derived more protocols from this, including an interactive key exchange scheme similar to Algorithm 2. Rostovtsev and Stolbunov’s proposal deviates from the HHS paradigm in the way random elements of G are sampled, as we will explain in Sect. 3. This makes the primitive less flexible, but also more practical.

Rostovtsev and Stolbunov advertised their cryptosystems as potential post-quantum candidates, leading Childs, Jao and Soukharev to introduce the first subexponential quantum algorithm capable of breaking them [13]. Hence, being already slow enough to be impractical in a classical security setting, their primitive appeared even more impractical in a quantum security setting.

But the Couveignes–Rostovtsev–Stolbunov primitive (CRS) has some important advantages over SIDH which make it worth pursuing. Unlike SIDH, CRS offers efficient and safe public key validation, making it suitable for non-interactive key exchange (NIKE). Further, CRS does not suffer from some of the potential cryptographic weaknesses that SIDH has, such as short paths and the publication of image points.

This paper aims to improve and modernize the CRS construction, borrowing techniques from SIDH and point-counting algorithms, to the point of making it usable in a post-quantum setting. Our main contributions are in Sects. 3, 4, where we present a new, more efficient way of computing the CRS group action, and in Sect. 5, where we give precise classic and quantum security estimates, formalize hardness assumptions, and sketch security proofs in stronger models than those previously considered. In Sect. 6 we present a proof-of-concept implementation and measure its performance. While the final result is far from competitive, we believe it constitutes progress towards a valid isogeny-based alternative to SIDH.

CSIDH. While preparing this paper we were informed of recent work by Castryck, Lange, Martindale, Panny, and Renes, introducing CSIDH, an efficient post-quantum primitive based on CRS [12]. Their work builds upon the ideas presented in Sects. 3, 4, using them in a different homogeneous space where they apply effortlessly. Their breakthrough confirms that, if anything, our techniques were a fundamental step towards the first practical post-quantum non-interactive key exchange protocol.

Side channel awareness. The algorithms we present here are not intended to provide any protection against basic side-channel attacks. Uniform and constant-time algorithms for arbitrary-degree isogeny computations are an interesting open problem, but they are beyond the scope of this work.

2 Isogenies and Complex Multiplication

We begin by recalling some basic facts on isogenies of elliptic curves over finite fields. For an in-depth introduction to these concepts, we refer the reader to [59]. For a general overview of isogenies and their use in cryptography, we suggest [21].

2.1 Isogenies Between Elliptic Curves

In what follows \(\mathbb {F}_q\) is a finite field of characteristic p with q elements, and \(\overline{\mathbb {F}}_q\) is its algebraic closure. Let E and \(E'\) be elliptic curves defined over \(\mathbb {F}_q\). A homomorphism \(\phi :E{\rightarrow }E'\) is an algebraic map sending \(0_E\) to \(0_{E'}\); it induces a group homomomorphism from \(E(\overline{\mathbb {F}}_q)\) to \(E'(\overline{\mathbb {F}}_q)\) [59, III.4]. An endomorphism is a homomorphism from a curve to itself. The endomorphisms of E form a ring \({{\mathrm{End}}}(E)\), with the group law on E for addition and composition for multiplication. The simplest examples of endomorphisms are the scalar multiplications [m] (mapping P to the sum of m copies of P) and the Frobenius endomorphism

$$\begin{aligned} \pi : E&\longrightarrow E \,, \\ (x,y)&\longmapsto (x^q,y^q) \,. \end{aligned}$$

As an element of \({{\mathrm{End}}}(E)\), Frobenius satisfies a quadratic equation \(\pi ^2 + q = t\pi \). The integer t (the trace) fully determines the order of E as \(\#E(\mathbb {F}_q)=q+1-t\). A curve is called supersingular if p divides t, ordinary otherwise.

An isogeny is a non-zero homomorphism of elliptic curves. The degree of an isogeny is its degree as an algebraic map, so for example the Frobenius endomorphism \(\pi \) has degree q, and the scalar multiplication [m] has degree \(m^2\). Isogenies of degree \(\ell \) are called \(\ell \)-isogenies. The kernel \(\ker {\phi }\) of \(\phi \) is the subgroup of \(E(\overline{\mathbb {F}}_q)\) that is mapped to \(0_{E'}\). An isogeny \({\phi }\) is cyclic if \(\ker {\phi }\) is a cyclic group.

An isomorphism is an isogeny of degree \(1\). An isomorphism class of elliptic curves is fully determined by their common j-invariant in \(\overline{\mathbb {F}}_q\). If any curve in the isomorphism class is defined over \(\mathbb {F}_q\), then its j-invariant is in \(\mathbb {F}_q\).

Any isogeny can be factored as a composition of a separable and a purely inseparable isogeny. Purely inseparable isogenies have trivial kernel, and degree a power of p. Separable isogenies include all isogenies of degree coprime to p. Up to isomorphism, separable isogenies are in one-to-one correspondence with their kernels: for any finite subgroup \(G{\subset }E\) of order \(\ell \) there is an elliptic curve E / G and an \(\ell \)-isogeny \(\phi : E \rightarrow E/G\) such that \(\ker \phi = G\), and the curve and isogeny are unique up to isomorphism. In particular, if \(\phi \) is separable then \(\deg {\phi }=\#\ker {\phi }\). It is convenient to encode \(\ker \phi \) as the polynomial whose roots are the x-coordinates of the points in \(\ker \phi \), called the kernel polynomial of \(\phi \).

For any \(\ell \)-isogeny \({\phi }:E\rightarrow {E}'\), there is a unique \(\ell \)-isogeny \(\hat{{\phi }}:E'\rightarrow {E}\) such that \({\phi }\circ \hat{{\phi }} = [\ell ]\) on \(E'\) and \(\hat{{\phi }}\circ {\phi } = [\ell ]\) on E. We call \(\hat{{\phi }}\) the dual of \({\phi }\). This shows that being \(\ell \)-isogenous is a symmetric relation, and that being isogenous is an equivalence relation. Further, a theorem of Tate states that two curves are isogenous over \(\mathbb {F}_q\) if and only if they have the same number of points over \(\mathbb {F}_q\).

2.2 Isogeny Graphs

Isogeny-based cryptosystems are based on isogeny graphs. These are (multi)-graphs whose vertices are elliptic curves up to isomorphism, and whose edges are isogenies between them (again up to isomorphism). The use of isogeny graphs for algorithmic applications goes back to Mestre and Oesterlé [49], followed notably by Kohel [41], and has been continued by many authors [26, 29, 31, 37, 50].

We write \(E[\ell ]\) for the subgroup of \(\ell \)-torsion points of \(E(\overline{\mathbb {F}}_q)\). If \(\ell \) is coprime to p, then \(E[\ell ]\) is isomorphic to \((\mathbb {Z}/\ell \mathbb {Z})^2\). Furthermore, if \(\ell \) is prime then \(E[\ell ]\) contains exactly \(\ell +1\) cyclic subgroups of order \(\ell \); it follows that, over \(\overline{\mathbb {F}}_q\), there are exactly \(\ell +1\) distinct (non-isomorphic) separable \(\ell \)-isogenies from E to other curves. Generically, a connected component of the \(\ell \)-isogeny graph over \(\overline{\mathbb {F}}_q\) will be an infinite \((\ell +1)\)-regular graph (a notable exception is the finite connected component of supersingular curves, used in SIDH and related protocols).

We now restrict to isogenies defined over \(\mathbb {F}_q\). If E and \(E'\) are elliptic curves over \(\mathbb {F}_q\), then an isogeny \({\phi }:E{\rightarrow }E'\) is defined over \(\mathbb {F}_q\) (up to a twist of \(E'\)) if and only if the Frobenius endomorphism \(\pi \) on E stabilizes \(\ker {\phi }\). We emphasize that the points in \(\ker \phi \) need not be defined over \(\mathbb {F}_q\) themselves.

For the vertices of the \(\overline{\mathbb {F}}_q\)-isogeny graph we use j-invariants, which classify elliptic curves up to \(\overline{\mathbb {F}}_q\)-isomorphism; but in the sequel we want to work up to \(\mathbb {F}_q\)-isomorphism, a stronger equivalence. If E and \(\tilde{E}\) are not \(\mathbb {F}_q\)-isomorphic but \(j(E) = j(\tilde{E})\), then \(\tilde{E}\) is the quadratic twist of E (which is defined and unique up to \(\mathbb {F}_q\)-isomorphism).Footnote 1 When E is ordinary, its quadratic twist has a different cardinality (if \(\#E(\mathbb {F}_q) = q + 1 - t\), then \(\#\tilde{E}(\mathbb {F}_q) = q + 1 + t\)), so E and \(\tilde{E}\) are in different components of the isogeny graph. But every \(\mathbb {F}_q\)-isogeny \(\phi : E \rightarrow E'\) corresponds to an \(\mathbb {F}_q\)-isogeny \(\tilde{\phi }: \tilde{E} \rightarrow \tilde{E}'\) of the same degree between the quadratic twists. The component of the \(\mathbb {F}_q\)-isogeny graph containing an ordinary curve and the component containing its twist are thus isomorphic; we are therefore justified in identifying them, using j-invariants in \(\mathbb {F}_q\) for vertices in the \(\mathbb {F}_q\)-graph.Footnote 2 This is not just a mathematical convenience: we will see in Sect. 3 below that switching between a curve and its twist often allows a useful optimization in isogeny computations.

If an isogeny \({\phi }\) is defined over \(\mathbb {F}_q\) and cyclic, then \(\pi \) acts like a scalar on the points of \(\ker {\phi }\). Thus, for any prime \(\ell \ne p\), the number of outgoing \(\ell \)-isogenies from E defined over \(\mathbb {F}_q\) can be completely understood by looking at how \(\pi \) acts on \(E[\ell ]\). Since \(E[\ell ]\) is a \(\mathbb {Z}/\ell \mathbb {Z}\)-module of rank 2, the action of \(\pi \) is represented by a \(2 \times 2\) matrix with entries in \(\mathbb {Z}/\ell \mathbb {Z}\) and characteristic polynomial \(X^2-tX+q\mod \ell \). We then have four possibilities:

  1. (0)

    \(\pi \) has no eigenvalues in \(\mathbb {Z}/\ell \mathbb {Z}\), i.e. \(X^2-tX+q\) is irreducible modulo \(\ell \); then E has no \(\ell \)-isogenies.

  2. (1.1)

    \(\pi \) has one eigenvalue of (geometric) multiplicity one, i.e. it is conjugate to a non-diagonal matrix \(\left( {\begin{matrix}\lambda &{}*\\ 0&{}\lambda \end{matrix}}\right) \); then there is one \(\ell \)-isogeny from E.

  3. (1.2)

    \(\pi \) has one eigenvalue of multiplicity two, i.e. it acts like a scalar matrix \(\left( {\begin{matrix}\lambda &{}0\\ 0&{}\lambda \end{matrix}}\right) \); then there are \(\ell +1\) isogenies of degree \(\ell \) from E.

  4. (2)

    \(\pi \) has two distinct eigenvalues, i.e. it is conjugate to a diagonal matrix \(\left( {\begin{matrix}\lambda &{}0\\ 0&{}\mu \end{matrix}}\right) \) with \(\lambda \ne \mu \); then there are two \(\ell \)-isogenies from E.

The primes \(\ell \) in Case (2) are called Elkies primes for E; these are the primes of most interest to us. Cases (1.x) are only possible if \(\ell \) divides \(\varDelta _pi = t^2-4q\), the discriminant of the characteristic equation of \(\pi \); for ordinary curves \(\varDelta _pi \ne 0\), so only a finite number of \(\ell \) will fall in these cases, and they will be mostly irrelevant to our cryptosystem. We do not use any \(\ell \) in Case (0).

Since all curves in the same isogeny class over \(\mathbb {F}_q\) have the same number of points, they also have the same trace t and discriminant \(\varDelta _\pi \). It follows that if \(\ell \) is Elkies for some E in \({{\mathrm{Ell}}}_q(\mathcal {O})\), then it is Elkies for every curve in \({{\mathrm{Ell}}}_q(\mathcal {O})\).

Hence, if \(\ell \) is an Elkies prime for a curve E, then the connected component of E in the \(\ell \)-isogeny graph is a finite 2-regular graph—that is, a cycle. In the next subsection we describe a group action on this cycle, and determine its size.

2.3 Complex Multiplication

In this subsection we focus exclusively on ordinary elliptic curves. If E is an ordinary curve with Frobenius \(\pi \), then \({{\mathrm{End}}}(E)\) is isomorphic to an order Footnote 3 in the quadratic imaginary field \(\mathbb {Q}(\sqrt{\varDelta _\pi })\) (see [59, III.9]). A curve whose endomorphism ring is isomorphic to an order \(\mathcal {O}\) is said to have complex multiplication by \(\mathcal {O}\). For a detailed treatment of the theory of complex multiplication, see [45, 60].

The ring of integers \(\mathcal {O}_K\) of \(K=\mathbb {Q}(\sqrt{\varDelta _\pi })\) is its maximal order: it contains any other order of K. Hence \(\mathbb {Z}[\pi ]\subset {{\mathrm{End}}}(E)\subset \mathcal {O}_K\), and there is only a finite number of possible choices for \({{\mathrm{End}}}(E)\). If we write \(\varDelta _\pi =d^2\varDelta _K\), where \(\varDelta _K\) is the discriminantFootnote 4 of \(\mathcal {O}_K\), then the index \([\mathcal {O}_K:{{\mathrm{End}}}(E)]\) must divide \(d=[\mathcal {O}_K:\mathbb {Z}[\pi ]]\).

It turns out that isogenies allow us to navigate the various orders. If \({\phi }:E{\rightarrow }E'\) is an \(\ell \)-isogeny, then one of the following holds [41, Prop. 21]:

  • \({{\mathrm{End}}}(E) = {{\mathrm{End}}}(E')\), and then \({\phi }\) is said to be horizontal;

  • \([{{\mathrm{End}}}(E):{{\mathrm{End}}}(E')] = \ell \), and then \({\phi }\) is said to be descending;

  • \([{{\mathrm{End}}}(E'):{{\mathrm{End}}}(E)] = \ell \), and then \({\phi }\) is said to be ascending.

Notice that the last two cases can only happen if \(\ell \) divides \(d^2=\varDelta _\pi /\varDelta _K\), and thus correspond to Cases (1.x) in the previous subsection. If \(\ell \) does not divide \(\varDelta _\pi \), then \({\phi }\) is necessarily horizontal.

We now present a group action on the set of all curves up to isomorphism having complex multiplication by a fixed order \(\mathcal {O}\); the key exchange protocol of Sect. 3 will be built on this action. Let \(\mathfrak a\) be an invertible ideal in \({{\mathrm{End}}}(E)\simeq \mathcal {O}\) of norm prime to p, and define the \({\mathfrak a}\)-torsion subgroup of E as

This subgroup is the kernel of a separable isogeny \(\phi _{\mathfrak a}\).Footnote 5 The codomain \(E/E[\mathfrak a]\) of \(\phi _{\mathfrak a}\) is well-defined up to isomorphism and will be denoted \(\mathfrak a\cdot E\). The isogeny \(\phi _{\mathfrak a}\) is always horizontal—that is, \({{\mathrm{End}}}(\mathfrak a \cdot E) = {{\mathrm{End}}}(E)\)—and its degree is the norm of \(\mathfrak a\) as an ideal of \({{\mathrm{End}}}(E)\).

Let \({{\mathrm{Ell}}}_q(\mathcal {O})\) be the set of isomorphism classes over \(\overline{\mathbb {F}}_q\) of curves with complex multiplication by \(\mathcal {O}\), and assume it is non-empty. The construction above gives rise to an action of the group of fractional ideals of \(\mathcal {O}\) on \({{\mathrm{Ell}}}_q(\mathcal {O})\). Furthermore, the principal ideals act trivially (the corresponding isogenies are endomorphisms), so this action induces an action of the ideal class group \(\mathcal {C}(\mathcal {O})\) on \({{\mathrm{Ell}}}_q(\mathcal {O})\).

The main theorem of complex multiplication states that this action is simply transitive. In other terms, \({{\mathrm{Ell}}}_q(\mathcal {O})\) is a PHS under the group \(\mathcal {C}(\mathcal {O})\): if we fix a curve E as base point, then we have a bijection

$$ \begin{aligned} \mathcal {C}(\mathcal {O})&\longrightarrow {{\mathrm{Ell}}}_q(\mathcal {O}) \\ \text {Ideal class of }\mathfrak a&\longmapsto \text {Isomorphism class of }\mathfrak a\cdot E. \end{aligned} $$

The order of \(\mathcal {C}(\mathcal {O})\) is called the class number of \(\mathcal {O}\), and denoted by \(h(\mathcal {O})\). An immediate consequence of the theorem is that \(\#{{\mathrm{Ell}}}_q(\mathcal {O})=h(\mathcal {O})\).

As before, we work with \(\mathbb {F}_q\)-isomorphism classes. Then \({{\mathrm{Ell}}}_q(\mathcal {O})\) decomposes into two isomorphic PHSes under \(\mathcal {C}(\mathcal {O})\), each containing the quadratic twists of the curves in the other. We choose one of these two components, that we will also denote \({{\mathrm{Ell}}}_q(\mathcal {O})\) in the sequel. (The choice is equivalent to a choice of isomorphism \({{\mathrm{End}}}(E) \cong \mathcal {O}\), and thus to a choice of sign on the image of \(\pi \) in \(\mathcal {O}\).)

Now let \(\ell \) be an Elkies prime for \(E\in {{\mathrm{Ell}}}_q(\mathcal {O})\). So far, we have seen that the connected component of E in the \(\ell \)-isogeny graph is a cycle of horizontal isogenies. Complex multiplication tells us more. The restriction of the Frobenius to \(E[\ell ]\) has two eigenvalues \(\lambda \ne \mu \), to which we associate the prime ideals \(\mathfrak {a}=(\pi -\lambda ,\ell )\) and \(\hat{\mathfrak a}=(\pi -\mu ,\ell )\), both of norm \(\ell \). We see then that \(E[\mathfrak a]\) is the eigenspace of \(\lambda \), defining an isogeny \({\phi }_{\mathfrak {a}}\) of degree \(\ell \). Furthermore \(\mathfrak a\hat{\mathfrak a} = \hat{\mathfrak a}\mathfrak a = (\ell )\), implying that \(\mathfrak a\) and \(\hat{\mathfrak a}\) are the inverse of one another in \(\mathcal {C}(\mathcal {O})\), thus the isogeny \({\phi }_{\hat{\mathfrak a}}:\mathfrak a{\cdot }E{\rightarrow }E\) of kernel \((\mathfrak a{\cdot }E)[\hat{\mathfrak a}]\) is the dual of \({\phi }_{\mathfrak a}\) (up to isomorphism).

The eigenvalues \(\lambda \) and \(\mu \) define opposite directions on the \(\ell \)-isogeny cycle, independent of the starting curve, as shown in Fig. 1. The size of the cycle is the order of \((\pi -\lambda ,\ell )\) in \(\mathcal {C}(\mathcal {O})\), thus partitioning \({{\mathrm{Ell}}}_q(\mathcal {O})\) into cycles of equal size.

Fig. 1.
figure 1

An isogeny cycle for an Elkies prime \(\ell \), with edge directions associated with the Frobenius eigenvalues \(\lambda \) and \(\mu \).

Full size image
Fig. 2.
figure 2

Undirected Schreier graph on \(\langle {x}\rangle \setminus \{1\}\) where \(x^{13} = 1\), acted upon by \((\mathbb {Z}/13\mathbb {Z})^*\), generated by \(S=\{2,3,5\}\) (resp. blue, red and green edges). (Color figure online)

Full size image

3 Key Exchange from Isogeny Graphs

We would like to instantiate the key exchange protocol of Algorithm 2 with the PHS \(X = {{\mathrm{Ell}}}_q(\mathcal {O})\) for the group \(G = \mathcal {C}(\mathcal {O})\), for some well chosen order \(\mathcal {O}\) in a quadratic imaginary field. However, given a generic element of \(\mathcal {C}(\mathcal {O})\), the best algorithm [38] to evaluate its action on \({{\mathrm{Ell}}}_q(\mathcal {O})\) has subexponential complexity in q, making the protocol infeasible. The solution, following Couveignes [19], is to fix a set S of small prime ideals in \(\mathcal {O}\), whose action on X can be computed efficiently, and such that compositions of elements of S cover the whole of G. The action of an arbitrary element of G is then the composition of a series of actions by small elements in S. As Rostovtsev and Stolbunov [57] observed, it is useful to visualise this decomposed action as a walk in an isogeny graph.

3.1 Walks in Isogeny Graphs

Let G be a group, X a PHS for G, and S a subset of G. The Schreier graph \(\mathcal {G}(G,S,X)\) is the labelled directed graph whose vertex set is X, and where an edge labelled by \({s}\in {S}\) links \(x_1\) to \(x_2\) if and only if \(s\cdot x_1 = x_2\). It is isomorphic to a Cayley graph for G. If S is symmetric (that is, \(S^{-1}=S\)), then we associate the same label to s and \(s^{-1}\), making the graph undirected.

A walk in \(\mathcal {G}(G,S,X)\) is a finite sequence \((s_1,\ldots ,s_n)\) of steps in S. We define the action of this walk on X as

$$ (s_1,\ldots ,s_n){\cdot }x = \big (\prod _{i=1}^n s_i\big ){\cdot }x. $$

In our application G is abelian, so the order of the steps \(s_i\) does not matter. We can use this action directly in the key exchange protocol of Algorithm 2, by simply taking private keys to be walks instead of elements in G.

Example 1

Figure 2 shows \(\mathcal {G}(G,S,X)\) where \(G=(\mathbb {Z}/13\mathbb {Z})^*\), \(S = \{2,3,5\}\cup \{2^{-1},3^{-1},5^{-1}\}\), and \(X = \langle {x}\rangle \setminus \{1\}\) is a cyclic group of order 13, minus its identity element. The action of G on X is exponentiation: \(g{\cdot }x=x^g\). The action of 11, which takes \(x^k\) to \(x^{11k}\), can be expressed using the walks (2, 5, 5), or \((2^{-1},3^{-1})\), or (3, 5), for example. Note that 5 has order 4 modulo 13, thus partitioning \(\langle {x}\rangle \setminus \{1\}\) into 3 cycles of length 4.

Returning to the world of isogenies, we now take

  • \(X={{\mathrm{Ell}}}_q(\mathcal {O})\) as the vertex set, for some well-chosen q and \(\mathcal {O}\); in particular we require \(\mathcal {O}\) to be the maximal order (see Sect. 5).

  • \(G=\mathcal {C}(\mathcal {O})\) as the group acting on X;

  • S a set of ideals, whose norms are small Elkies primes in \(\mathcal {O}\).

The graph \(\mathcal {G}(G,S,X)\) is thus an isogeny graph, composed of many isogeny cycles (one for the norm of each prime in S) superimposed on the vertex set \({{\mathrm{Ell}}}_q(\mathcal {O})\). It is connected if S generates \(\mathcal {C}(\mathcal {O})\). Walks in \(\mathcal {G}(G,S,X)\) are called isogeny walks.

We compute the action of an ideal \(\mathfrak s\) (a single isogeny step) on an \(x{\in }{{\mathrm{Ell}}}_q(\mathcal {O})\) by choosing a representative curve E with \(x = j(E)\), and computing an isogeny \({\phi }_{\mathfrak s}:E{\rightarrow }E'\) from E corresponding to \(\mathfrak {s}\); the resulting vertex is \(\mathfrak s \cdot x = j(E')\). The action of an isogeny walk \((\mathfrak s_i)_i\) is then evaluated as the sequence of isogeny steps \({\phi }_{\mathfrak s_i}\). Algorithms for these operations are given in the next subsection.

Using this “smooth” representation of elements in \(\mathcal {C}(\mathcal {O})\) as isogeny walks lets us avoid computing \(\mathcal {C}(\mathcal {O})\) and \({{\mathrm{Ell}}}_q(\mathcal {O})\), and avoid explicit ideal class arithmetic; only isogenies between elliptic curves are computed. In practice, we re-use the elliptic curve \(E'\) from one step as the E in the next; but we emphasize that when isogeny walks are used for Diffie–Hellman, the resulting public keys and shared secrets are not the final elliptic curves, but their j-invariants.

3.2 Computing Isogeny Walks

Since \(\mathcal {C}(\mathcal {O})\) is commutative, we can break isogeny walks down into a succession of walks corresponding to powers of single primes \(\mathfrak {s} = (\ell ,\pi -\lambda )\); that is, repeated applications of the isogenies \(\phi _{\mathfrak {s}}\). Depending on \(\mathfrak {s}\), we will compute each sequence of \(\phi _{\mathfrak s}\) using one of two different methods:

  • Algorithm 5 (ElkiesWalk) uses Algorithm 3 (ElkiesFirstStep) followed by a series of calls to Algorithm 4 (ElkiesNextStep), both which use the modular polynomial \(\varPhi _\ell (X, Y)\). This approach works for any \(\mathfrak s\).

  • Algorithm 7 (VéluWalk) uses a series of calls to Algorithm 6 (VéluStep). This approach, which uses torsion points on E, can only be applied when \(\lambda \) satisfies certain properties.

Rostovtsev and Stolbunov only used analogues of Algorithms 3 and 4. The introduction of VéluStep, inspired by SIDH and related protocols (and now a key ingredient in the CSIDH protocol [12]), speeds up our protocol by a considerable factor; this is the main practical contribution of our work.

figure c
figure d
figure e
figure f
figure g

Elkies steps. Algorithms 3 and 4 compute single steps in the \(\ell \)-isogeny graph. Their correctness follows from the definition of the modular polynomial \(\varPhi _\ell \): a cyclic \(\ell \)-isogeny exists between two elliptic curves E and \(E'\) if and only if \(\varPhi _\ell (j(E), j(E')) = 0\) (see [58, Sect. 6] and [24, Sect. 3] for the relevant theory). One may use the classical modular polynomials here, or alternative, lower-degree modular polynomials (Atkin polynomials, for example) with minimal adaptation to the algorithms. In practice, \(\varPhi _\ell \) is precomputed and stored: several publicly available databases exist (see [42] and [8, 9, 66], for example).

Given a j-invariant j(E), we can compute its two neighbours in the \(\ell \)-isogeny graph by evaluating \(P(X) = \varPhi _\ell (j(E),X)\) (a polynomial of degree \(\ell +1\)), and then computing its two roots in \(\mathbb {F}_q\). Using a Cantor–Zassenhaus-type algorithm, this costs \(\tilde{O}(\ell \log q)\) \(\mathbb {F}_q\)-operations.

We need to make sure we step towards the neighbour in the correct direction. If we have already made one such step, then this is easy: it suffices to avoid backtracking. Algorithm 4 (ElkiesNextStep) does this by removing the factor corresponding to the previous j-invariant in Line 4; this algorithm can be used for all but the first of the steps corresponding to \(\mathfrak {s}\).

It remains to choose the right direction in the first step for \(\mathfrak {s} = (\ell ,\pi -\lambda )\). In Algorithm 3 we choose one of the two candidates for \(\phi _{\mathfrak s}\) arbitrarily, and compute its kernel polynomial. This costs \(\tilde{O}(\ell )\) \(\mathbb {F}_q\)-operations using the Bostan–Morain–Salvy–Schost algorithm [7] with asymptotically fast polynomial arithmetic. We then compute an element Q of \(\ker \phi _\mathfrak {s}\) over an extension of \(\mathbb {F}_q\) of degree at most \(\frac{\ell -1}{2}\), then evaluate \(\pi (Q)\) and \([\lambda ]Q\). If they match, then we have chosen the right direction; otherwise we take the other root of P(X).

Algorithm 5 (ElkiesWalk) combines these algorithms to compute the iterated action of \(\mathfrak {s}\). Line 5 ensures that the curve returned is the the correct component of the \(\ell \)-isogeny graph. Both ElkiesFirstStep and ElkiesNextStep cost \(\tilde{O}(\ell \log q)\) \(\mathbb {F}_q\)-operations, dominated by the calculation of the roots of P(X).

Vélu steps. For some ideals \(\mathfrak {s} = (\ell ,\pi -\lambda )\), we can completely avoid modular polynomials, and the costly computation of their roots, by constructing \(\ker \phi _{\mathfrak {s}}\) directly from \(\ell \)-torsion points. Let r be the order of \(\lambda \) modulo \(\ell \); then \(\ker \phi _{\mathfrak s} \subseteq E(\mathbb {F}_{q^r})\). If r is not a multiple of the order of the other eigenvalue \(\mu \) of \(\pi \) on \(E[\ell ]\), then \(E[\ell ](\mathbb {F}_{q^r}) = \ker \phi _{\mathfrak s}\). Algorithm 6 (VéluStep) exploits this fact to construct a generator Q of \(\ker \phi _{\mathfrak s}\) by computing a point of order \(\ell \) in \(E(\mathbb {F}_{q^r})\). The roots of the kernel polynomial of \(\phi _{\mathfrak s}\) \(x(Q), \ldots , x([(\ell -1)/2]Q)\).Footnote 6

Constructing a point Q of order \(\ell \) in \(E(\mathbb {F}_{q^r})\) is straightforward: we take random points and multiply by the cofactor \(C_r/\ell \), where \(C_r := \#E(\mathbb {F}_{q^r})\). Each trial succeeds with probability \(1 - 1/\ell \). Note that \(C_r\) can be easily (pre)computed from the Frobenius trace t: if we write \(C_r = q - t_r + 1\) for \(r > 0\) (so \(t_1 = t\)) and \(t_0 = 2\), then the \(t_r\) satisfy the recurrence \(t_r = t\cdot t_{r-1} - q\cdot t_{r-2}\).

We compute the quotient curve in Line 6 with Vélu’s formulæ [69] in \(O(\ell )\) \(\mathbb {F}_q\)-operations. Since \(\log C_r\simeq r\log q\), provided \(\ell = O(\log q)\), the costly step in Algorithm 6 is the scalar multiplication at Line 3, which costs \(\tilde{O}(r^2\log q)\) \(\mathbb {F}_q\)-operations.

Comparing the costs. To summarize:

  • Elkies steps cost \(\tilde{O}(\ell \log q)\) \(\mathbb {F}_q\)-operations;

  • Vélu steps cost \(\tilde{O}(r^2\log q)\) \(\mathbb {F}_q\)-operations, where r is the order of \(\lambda \) in \(\mathbb {Z}/\ell \mathbb {Z}\).

In general \(r = O(\ell )\), so Elkies steps should be preferred. However, when r is particularly small (and not a multiple of the order of the other eigenvalue), a factor of \(\ell \) can be saved using Vélu steps. The value of r directly depends on \(\lambda \), which is in turn determined by \(\#E(\mathbb {F}_p)\) mod \(\ell \). Thus, we see that better Step performances depend on the ability to find elliptic curves whose order satisfies congruence conditions modulo small primes. Unfortunately, we can only achieve this partially (see Sect. 4), so the most efficient solution is to use Vélu steps when we can, and Elkies steps for some other primes.

In practice, Algorithm 6 can be improved by using elliptic curve models with more efficient arithmetic. In our implementation (see Sect. 6), we used x-only arithmetic on Montgomery models [18, 51], which also have convenient Vélu formulæ [17, 56]. Note that we can also avoid computing y-coordinates in Algorithm 6 at Line 5 if \(\lambda \ne \pm \mu \): this is the typical case for Elkies steps, and we used this optimization for all Elkies primes in our implementation.

Remark 1

Note that, in principle, Algorithm 6, can only be used to walk in one direction \(\mathfrak {s}_{\lambda }=(\ell ,\pi -{\lambda })\), and not in the opposite one \(\mathfrak s_\mu =(\ell ,\pi -\mu )\). Indeed we have assumed that \(E[\mathfrak {s}_\lambda ]\) is in \(E(\mathbb {F}_{q^r})\), while \(E[\mathfrak s_\mu ]\) is not. However, switching to a quadratic twist \(\tilde{E}\) of E over \(\mathbb {F}_{q^r}\) changes the sign of the Frobenius eigenvalues, thus it may happen that \(\tilde{E}[\mathfrak s_{-\mu }]\) is in \(\tilde{E}(\mathbb {F}_{q^r})\), while \(\tilde{E}[\mathfrak s_{-\lambda }]\) is not. It is easy to force this behavior by asking that \(p \equiv -1\pmod {\ell }\), indeed then \(\lambda = -1/\mu \).

For these eigenvalue pairs we can thus walk in both directions using Vélu steps at no additional cost, following either the direction \(\lambda \) on E, or the direction \(-\mu \) on a twist. In Algorithm 6, only the curve order and the random point sampling need to be modified when using quadratic twists.

3.3 Sampling Isogeny Walks for Key Exchange

We now describe how keys are generated and exchanged in our protocol. Since the cost of the various isogeny walks depends on the ideals chosen, we will use adapted, or skewed, smooth representations when sampling elements in \(\mathcal {C}(\mathcal {O})\) in order to minimize the total computational cost of a key exchange.

We take a (conjectural) generating set for \(\mathcal {C}(\mathcal {O})\) consisting of ideals over a set S of small Elkies primes, which we partition into three sets according to the step algorithms to be used. We maintain three lists of tuples encoding these primes:

 

\(S_{VV}\) :

is a list of tuples \((\ell ,\lambda ,\mu )\) such that the ideal \((\ell ,\pi - \lambda )\) and its inverse \((\ell ,\pi -\mu )\) are both amenable to VéluStep.

\(S_{VE}\) :

is a list of tuples \((\ell ,\lambda )\) such that \((\ell ,\pi -\lambda )\) is amenable to VéluStep but its inverse \((\ell ,\pi -\mu )\) is not.

\(S_{EE}\) :

is a list of tuples \((\ell ,\lambda ,\mu )\) such that neither \((\ell ,\pi - \lambda )\) nor \((\ell ,\pi -\mu )\) are amenable to VéluStep.

 

In \(S_{VV}\) and \(S_{EE}\), the labelling of eigenvalues as \(\lambda \) and \(\mu \) is fixed once and for all (that is, the tuples \((\ell ,\lambda ,\mu )\) and \((\ell ,\mu ,\lambda )\) do not both appear). This fixes directions in each of the \(\ell \)-isogeny cycles. Looking back at Fig. 1, for \(\ell \) associated with \(S_{EE}\) and \(S_{VV}\), both directions in the \(\ell \)-isogeny graph will be available for use in walks; for \(S_{VE}\), only the Vélu direction will be used.

Each secret key in the cryptosystem is a walk in the isogeny graph. Since the class group \(\mathcal {C}(\mathcal {O})\) is commutative, such a walk is determined by the multiplicities of the primes \(\mathfrak {s}\) that appear in it. Algorithm 8 (KeyGen) therefore encodes private-key walks as exponent vectors, with one integer exponent for each tuple in \(S_{VV}\), \(S_{VE}\), and \(S_{EE}\). For a tuple \((\ell ,\lambda ,\mu )\),

  • a positive exponent \(k_\ell \) indicates a walk of \(k_\ell \) \(\ell \)-isogeny steps in direction \(\lambda \);

  • a negative exponent \(-k_\ell \) indicates \(k_\ell \) \(\ell \)-isogeny steps in direction \(\mu \).

For the tuples \((\ell ,\lambda )\) in \(S_{VE}\), where we do not use the slower \(\mu \)-direction, we only allow non-negative exponents. We choose bounds \(M_\ell \) on the absolute value of the exponents \(k_\ell \) so as to minimize the total cost of computing isogeny walks, while maintaining a large keyspace. As a rule, the bounds will be much bigger for the primes in \(S_{VV}\) and \(S_{VE}\), where Vélu steps can be applied.

The public keys are j-invariants in \(\mathbb {F}_q\), so they can be stored in \(\log _2 q\) bits; the private keys are also quite compact, but their precise size depends on the number of primes \(\ell \) and the choice of exponent bounds \(M_\ell \), which is a problem we will return to in Sect. 6.

figure h

Algorithm 9 completes a Diffie–Hellman key exchange by applying a combination of Elkies and Vélu walks (Algorithms 5 and 7, respectively).

figure i

4 Public Parameter Selection

It is evident that the choice of public parameters has a heavy impact on the execution time: smaller Elkies primes, and smaller multiplicative orders of the Frobenius eigenvalues, will lead to better performance. Since all of this information is contained in the value of \(\# E(\mathbb {F}_q)\), we now face the problem of constructing ordinary elliptic curves of prescribed order modulo small primes. Unfortunately, and in contrast with the supersingular case, no polynomial-time method to achieve this is known in general: the CM method [3, 64], which solves this problem when the corresponding class groups are small, is useless in our setting (see Sect. 5).

In this section we describe how to use the Schoof–Elkies–Atkin (SEA) point counting algorithm with early abort, combined with the use of certain modular curves, to construct curves whose order satisfies some constraints modulo small primes. This is faster than choosing curves at random and computing their orders completely until a convenient one is found, but it still does not allow us to use the full power of Algorithm VéluStep.

Early-abort SEA. The SEA algorithm [52, 58] is the state-of-the-art point-counting algorithm for elliptic curves over large-characteristic finite fields. In order to compute \(N = \# E(\mathbb {F}_p)\), it computes N modulo a series of small Elkies primes \(\ell \), before combining the results via the CRT to get the true value of N.

Cryptographers are usually interested in generating elliptic curves of prime or nearly prime order, and thus without small prime factors. While running SEA on random candidate curves, one immediately detects if \(N \equiv 0\pmod {\ell }\) for the small primes \(\ell \); if this happens then the SEA execution is aborted, and restarted with a new curve.

Here, the situation is the opposite: we want elliptic curves whose cardinality has many small prime divisors. To fix ideas, we choose the 512-bit prime

$$ p := 7 \left( \prod _{2\le \ell \le 380,\ \ell \text { prime}} \ell \right) - 1 \,. $$

Then, according to Remark 1, Algorithm VéluStep can be used for \(\ell \)-isogenies in both directions for any prime \(\ell \le 380\), as soon as the order of its eigenvalues is small enough. We now proceed as follows:

  • Choose a smoothness bound B (we used \(B = 13\)).

  • Pick elliptic curves E at random in \(\mathbb {F}_p\), and use the SEA algorithm, aborting when any \(\ell \le B\) with \(\#E(\mathbb {F}_p) \not \equiv 0\pmod {\ell }\) is found.

  • For each E which passed the tests above, complete the SEA algorithm to compute \(\#E(\mathbb {F}_p)\), and estimate the key exchange running time using this curve as a public parameter (see Sect. 6).

  • The “fastest” curves now give promising candidates for \(\#E(\mathbb {F}_p)\).

In considering the efficiency of this procedure, it is important to remark that very few curves will pass the early-abort tests. The bound B should be chosen to balance the overall cost of the first few tests with that of the complete SEA algorithm for the curves which pass them. Therefore, its value is somewhat implementation-dependent.

Finding the maximal order. Once a “good” curve E has been computed, we want to find a curve \(E_0\) having the same number of points, but whose endomorphism ring is maximal, and to ensure that its discriminant is a large integer. Therefore, we attempt to factor the discriminant \(\varDelta _\pi \) of \(\mathbb {Z}[\pi ]\): if it is squarefree, then E already has maximal endomorphism ring, and in general the square factors of \(\varDelta _\pi \) indicate which ascending isogenies have to be computed in order to find \(E_0\).

Remark 2

Factoring random 512-bit integers is not hard in general, and discriminants of quadratic fields even tend to be slightly smoother than random integers.

If a discriminant fails to be completely factored, a conservative strategy would be to discard it, but ultimately undetected large prime-square factors do not present a security issue because computing the possible corresponding large-degree isogenies is intractable (see Sect. 5).

Using the modular curve \(X_1(N)\). Since we are looking for curves with smooth cardinalities, another improvement to this procedure is available: instead of choosing elliptic curves uniformly at random, we pick random candidates using an equation for the modular curve \(X_1(N)\) [65], which guarantees the existence of a rational N-torsion point on the sampled elliptic curve. This idea is used in the procedure of selecting elliptic curves in the Elliptic Curve Method for factoring [70, 71]. In our implementation we used \(N = 17\), and also incorporated the existence test in [54] for Montgomery models for the resulting elliptic curves.

Results. We implemented this search using the Sage computer algebra system. Our experiments were conducted on several machines running Intel Xeon E5520 processors at 2.27GHz. After 17,000 hours of CPU time, we found the Montgomery elliptic curve \( E : y^2 = x^3 + A x^2 + x \) over \(\mathbb {F}_p\) with p as above, and

The trace of Frobenius t of E is

$$ \scriptstyle -147189550172528104900422131912266898599387555512924231762107728432541952979290\,. $$

There is a rational \(\ell \)-torsion point on E, or its quadratic twist, for each \(\ell \) in

$$ \{3, 5, 7, 11, 13, 17, 103, 523, 821, 947, 1723\} \,; $$

each of these primes is Elkies. Furthermore, \({{\mathrm{End}}}(E)\) is the maximal order, and its discriminant is a 511-bit integer that has the following prime factorization:

$$ \begin{aligned} \scriptstyle -&\scriptstyle 2^3 \cdot 20507 \cdot 67429 \cdot 11718238170290677 \cdot 12248034502305872059 \\&\scriptstyle {}\cdot 60884358188204745129468762751254728712569\\&\scriptstyle {}\cdot 68495197685926430905162211241300486171895491480444062860794276603493\,. \end{aligned} $$

In Sect. 6, we discuss the practical performance of our key-exchange protocol using these system parameters. Other proposals for parameters are given in [39].

5 Security

We now address the security of the CRS primitive, and derived protocols. Intuitively, these systems rely on two assumptions:

  1. 1.

    given two curves E and \(E'\) in \({{\mathrm{Ell}}}_q(\mathcal {O})\), it is hard to find a (smooth degree) isogeny \({\phi }:E{\rightarrow }E'\); and

  2. 2.

    the distribution on \({{\mathrm{Ell}}}_q(\mathcal {O})\) induced by the random walks sampled in Algorithm 8 is computationally undistinguishable from the uniform distribution.

We start by reviewing the known attacks for the first problem, both in the classical and the quantum setting. Then, we formalize security assumptions and give security proofs against passive adversaries. Finally, we discuss key validation and protection against active adversaries.

5.1 Classical Attacks

We start by addressing the following, more general, problem:

Problem 1

Given two ordinary elliptic curves \(E,E'\) defined over a finite field \(\mathbb {F}_q\), such that \(\#E(\mathbb {F}_q)=\#E'(\mathbb {F}_q)\), find an isogeny walk \((\phi _i)_{1\le {i}\le {n}}\) such that \(\phi _n\circ \cdots \circ {\phi }_1(E)=E'\).

The curves in Problem 1 are supposed to be sampled uniformly, though this is never exactly the case in practice. This problem was studied before the emergence of isogeny-based cryptography [28, 29, 31], because of its applications to conventional elliptic-curve cryptography [31, 37, 67]. The algorithm with the best asymptotic complexity is due to Galbraith, Hess and Smart [31]. It consists of three stages:  

Stage 0.:

Use walks of ascending isogenies to reduce to the case where \({{\mathrm{End}}}(E)\cong {{\mathrm{End}}}(E')\) is the maximal order.

Stage 1.:

Start two random walks of horizontal isogenies from E and \(E'\); detect the moment when they collide using a Pollard-rho type of algorithm.

Stage 2.:

Reduce the size of the obtained walk using index-calculus techniques.

 

To understand Stage 0, recall that all isogenous elliptic curves have the same order, and thus the same trace t of the Frobenius endomorphism \(\pi \). We know that \({{\mathrm{End}}}(E)\) is contained in the ring of integers \(\mathcal {O}_K\) of \(K=\mathbb {Q}(\sqrt{\varDelta _\pi })\), where \(\varDelta _\pi =t^2-4q\) is the Frobenius discriminant. As before we write \(\varDelta _\pi =d^2\varDelta _K\), where \(\varDelta _K\) is the discriminant of \(\mathcal {O}_K\); then for any \(\ell \mid d\), the \(\ell \)-isogeny graph of E contains ascending and descending \(\ell \)-isogenies; these graphs are referred to as volcanoes [26] (see Fig. 3). Ascending isogenies go from curves with smaller endomorphism rings to curves with larger ones, and take us to a curve with \({{\mathrm{End}}}(E)\simeq {\mathcal {O}}_K\) in \(O(\log d)\) steps; they can be computed efficiently using the algorithms of [22, 26, 35, 41]. AssumingFootnote 7 all prime factors of d are in \(O(\log q)\), we can therefore compute Stage 0 in time polynomial in \(\log q\).

Fig. 3.
figure 3

3-isogeny graph (volcano) containing the curve with \(j(E)=607\) over \(\mathbb {F}_{6007}\). A larger vertex denotes a larger endomorphism ring.

Full size image

The set \({{\mathrm{Ell}}}_q(\mathcal {O}_K)\) has the smallest size among all sets \({{\mathrm{Ell}}}_q(\mathcal {O})\) for \(\mathcal {O}\subset \mathcal {O}_K\), so it is always interesting to reduce to it. This justifies using curves with maximal endomorphism ring in the definition of the protocol in Sect. 3. When \(\varDelta _\pi \) is square-free, \(\mathbb {Z}[\pi ]\) is the maximal order, and the condition is automatically true.

The collision search in Stage 1 relies on the birthday paradox, and has a complexity of \(O(\sqrt{h(\mathcal {O}_K)})\).

It is known that, on average, \(h(\mathcal {O}_K)\approx {0.461}\cdots \sqrt{|\varDelta _K|}\) (see [15, 5.10]), and, assuming the extended Riemann hypothesis, we even have a lower bound (see [47])

$$\begin{aligned} h(\mathcal {O}_K) \ge 0.147\cdots \frac{(1+o(1))\sqrt{|\varDelta _K|}}{\log \log |\varDelta _K|}. \end{aligned}$$

Since \(\varDelta _K\sim q\), we expect Stage 1 to take time \(O(q^{1/4})\), which justifies a choice of q four times as large as the security parameter. Unfortunately, class numbers are notoriously difficult to compute, the current record being for a discriminant of 300 bits [5]. Computing class numbers for \({\sim 500}\)-bit discriminants seems to be expensive, albeit feasible; thus, we can only rely on these heuristic arguments to justify the security of our proposed parameters.

The horizontal isogeny produced by Stage 1 is represented by an ideal constructed as a product of exponentially many small ideals. Stage 2 converts this into a sequence of small ideals of length polynomial in \(\log q\). Its complexity is bounded by that of Stage 1, so it has no impact on our security estimates.

Remark 3

The Cohen–Lenstra heuristic [16] predicts that the odd part of \(\mathcal {C}(\mathcal {O}_K)\) is cyclic with overwhelming probability, and other heuristics [33] indicate that \(h(\mathcal {O}_K)\) is likely to have a large prime factor. However, since there is no known way in which the group structure of \(\mathcal {C}(\mathcal {O}_K)\) can affect the security of our protocol, we can disregard this matter. No link between the group structure of \(E(\mathbb {F}_q)\) itself and the security is known, either.

5.2 Quantum Attacks

On a quantum computer, an attack with better asymptotic complexity is given by Childs, Jao and Soukharev in [13]. It consists of two algorithms:

  1. 1.

    A (classical) algorithm that takes as input an elliptic curve \(E{\in }{{\mathrm{Ell}}}_q(\mathcal {O})\) and an ideal \(\mathfrak a{\in }\mathcal {C}(\mathcal {O})\), and outputs the curve \(\mathfrak a{\cdot }E\);

  2. 2.

    A generic quantum algorithm for the dihedral hidden subgroup problem (dHSP), based upon previous work of Kuperberg [43, 44] and Regev [55].

The ideal evaluation algorithm has sub-exponential complexity \(L_q(\frac{1}{2},\frac{\sqrt{3}}{2})\). However, after a subexponential-time classical precomputation, any adversary can know the exact class group structure; in that case, this ideal evaluation step could possibly be performed in polynomial time (and non-negligible success probability) using LLL-based methods, as discussed in [63] and [19, Sect. 5].

The dHSP algorithm uses the ideal evaluation algorithm as a (quantum) black box, the number of queries depending on the variant. Childs–Jao–Soukharev gave two versions of this algorithm, Kuperberg’s [43] and Regev’s [55]. However, both are superseded by Kuperberg’s recent work [44]: his new algorithm solves the dHSP in any abelian group of order N using \(2^{O(\sqrt{\log N})}\) quantum queries and classical space, but only \(O(\log N)\) quantum space. Given this estimate, we expect the bit size of q to grow at worst like the square of the security parameter.

Unfortunately, the analysis of Kuperberg’s new algorithm is only asymptotic, and limited to N of a special form; it cannot be directly used to draw conclusions on concrete cryptographic parameters at this stage, especially since the value of the constant hidden by the O() in the exponent is unclear. Thus, it is hard to estimate the impact of this attack at concrete security levels such as those required by NIST [53].

Nevertheless, we remark that the first version of Kuperberg’s algorithm, as described in [55, Algorithm 5.1 and Remark 5.2] requires \(O(2^{3\sqrt{\log N}}\log N)\) black-box queries and \(\sim 2^{3\sqrt{\log N}}\) qubits of memory. Although the quantum memory requirements of this algorithm are rather high, we will take its query complexity as a crude lower bound for the complexity of Kuperberg’s newer algorithm in the general case. Of course, this assumption is only heuristic, and should be validated by further study of quantum dHSP solvers; at present time, unfortunately, no precise statement can be made.

Table 1 thus proposes various parameter sizes, with associated numbers of quantum queries based on the observations above; we also indicate the estimated time to (classically) precompute the class group structure according to [5].Footnote 8 Whenever the quantum query complexity alone is enough to put a parameter in one of NIST’s security categories [53], we indicate it in the table. We believe that using query complexity alone is a very conservative choice, and should give more than enough confidence in the post-quantum security properties of our scheme.

The system parameters we proposed in Sect. 4 correspond to the first line of Table 1, thus offering at least 56-bit quantum and 128-bit classical security.

Table 1. Suggested parameter sizes and associated classical security, class group computation time, and query complexity, using the heuristic estimations of Sect. 5.2.
Full size table

5.3 Security Proofs

We now formalize the assumptions needed to prove the security of the key exchange protocol, and other derived protocols such as PKEs and KEMs, in various models. Given the similarity with the classical Diffie–Hellman protocol on a cyclic group, our assumptions are mostly modeled on those used in that context. Here we are essentially following the lead of Couveignes [19] and Stolbunov [62, 63]. However, we take their analyses a step further by explicitly modeling the hardness of distinguishing random walks on Cayley graphs from the uniform distribution: this yields stronger proofs and a better separation of security concerns.

For the rest of this section q is a prime power, \(\mathcal {O}\) is an order in a quadratic imaginary field with discriminant \(\varDelta \sim q\), \(\mathcal {C}(\mathcal {O})\) is the class group of \(\mathcal {O}\), \({{\mathrm{Ell}}}_q(\mathcal {O})\) is the (non-empty) set of elliptic curves with complex multiplication by \(\mathcal {O}\), and \(E_0\) is a fixed curve in \({{\mathrm{Ell}}}_q(\mathcal {O})\). Finally, S is a set of ideals of \(\mathcal {O}\) with norm polynomial in \(\log q\), and \(\sigma \) is a probability distribution on the set \(S^*\) of isogeny walks (i.e. finite sequences of elements in S) used to sample secrets in the key exchange protocol. We write \(x\overset{\sigma }{\in } X\) for an element taken from a set X according to \(\sigma \), and \(x\overset{R}{\in }X\) for an element taken according to the uniform distribution.

Our security proofs use four distributions on \({{\mathrm{Ell}}}_q(\mathcal {O})^3\):

The assumption needed to prove security of the protocols is the hardness of a problem analogous to the classic Decisional Diffie–Hellman (DDH) problem.

Definition 1

(Isogeny Walk DDH (IW-DDH)). Given a triplet of curves \((E_a,E_b,E_{ab})\) sampled with probability \(\frac{1}{2}\) from \(\mathcal {R}_{q,\varDelta ,\sigma }\) and \(\frac{1}{2}\) from \(\mathcal {W}_{q,\varDelta ,\sigma }\), decide from which it was sampled.

We split this problem into two finer-grained problems. The first is that of distinguishing between commutative squares sampled uniformly at random and commutative squares sampled from the distribution \(\sigma \).

Definition 2

(Isogeny Walk Distinguishing (IWD)). Given a triplet of curves \((E_a,E_b,E_{ab})\) sampled with probability \(\frac{1}{2}\) from \(\mathcal {W}_{q,\varDelta ,\sigma }\) and \(\frac{1}{2}\) from \(\mathcal {G}_{q,\varDelta }\), decide from which it was sampled.

The second problem is a group-action analogue of DDH. It also appears in [19] under the name vectorization, and in [62, 63] under the name DDHAP.

Definition 3

(Class Group Action DDH (CGA-DDH)). Given a triplet of curves \((E_a,E_b,E_{ab})\) sampled with probability \(\frac{1}{2}\) from \(\mathcal {G}_{q,\varDelta }\) and \(\frac{1}{2}\) from \(\mathcal {U}_{q,\varDelta }\), decide from which it was sampled.

We want to prove the security of protocols based on the primitive of Sect. 3 under the CGA-DDH and IWD assumptions combined. To do this we give a lemma showing that CGA-DDH and IWD together imply IW-DDH. The technique is straightforward: we use an IW-DDH oracle to solve both the CGA-DDH and IWD problems, showing that at least one of the two must be solvable with non-negligible advantage. The only technical difficulty is that we need an efficient way to simulate the uniform distribution on \({{\mathrm{Ell}}}_q(\mathcal {O})\); for this, we use another Cayley graph on \({{\mathrm{Ell}}}_q(\mathcal {O})\), with a potentially larger edge set, that is proven in [37] to be an expander under the generalized Riemann hypothesis (GRH).

We let \(\mathsf {Adv}^{A}_{\text {IW-DDH}}\) be the advantage of an adversary A against IW-DDH, defined as the probability that A answers correctly, minus 1 / 2:

$$ 2\mathsf {Adv}^{A}_{\text {IW-DDH}} = {{\mathrm{Pr}}}\bigl [A(\mathcal {R}_{q,\varDelta ,\sigma }) = 1\bigr ] - {{\mathrm{Pr}}}\bigl [A(\mathcal {W}_{q,\varDelta ,\sigma }) = 1\bigr ] \,. $$

We define \(\mathsf {Adv}^{A}_{\text {CGA-DDH}}\) and \(\mathsf {Adv}^{A}_{\text {IWD}}\) similarly. Switching answers if needed, we can assume all advantages are positive. We let \(\mathsf {Adv}^{}_{\text {X}}(t)\) denote the maximum of \(\mathsf {Adv}^{A}_{\text {X}}\) over all adversaries using at most t resources (running time, queries, etc.).

Lemma 1

Assuming GRH, for q large enough and for any bound t on running time, and for any \(\epsilon >0\),

$$ \mathsf {Adv}^{}_{\text {IW-DDH}}(t) \le 2\mathsf {Adv}^{}_{\text {IWD}}(t+{{\mathrm{poly}}}(\log q, \log \epsilon )) + \mathsf {Adv}^{}_{\text {CGA-DDH}}(t) + \epsilon \,. $$

Proof

(Sketch). We start with an adversary A for IW-DDH, and we construct two simulators S and T for CGA-DDH and IWD respectively.

  • The simulator S simply passes its inputs to A, and returns A’s response.

  • The simulator T receives a triplet \((E_a,E_b,E_{ab})\) taken from \(\mathcal {G}_{q,\varDelta }\) or \(\mathcal {W}_{q,\varDelta ,\sigma }\), and flips a coin to decide which of the two following actions it will do:

    • forward \((E_a,E_b,E_{ab})\) to A, and return the bit given by A; or

    • generate a random curve \(E_c{\in }{{\mathrm{Ell}}}_q(\mathcal {O})\), forward \((E_a,E_b,E_c)\) to A, and return the opposite bit to the one given by A.

The curve \(E_c\) must be sampled from a distribution close to uniform for the simulator T to work. The only way at our disposal to sample \(E_c\) uniformly would be to sample a uniform \(\mathfrak c{\in }\mathcal {C}(\mathcal {O})\) and take \(E_c=\mathfrak c{\cdot }E_0\), but this would be too costly. Instead we use [37, Theorem 1.5], combined with standard results about random walks in expander graphs (for instance, an easy adaptation of the proof of [37, Lemma 2.1]), to sample \(E_c\) so that any curve in \({{\mathrm{Ell}}}_q(\mathcal {O})\) is taken with probability between \((1-\epsilon )/h(\mathcal {O})\) and \((1+\epsilon )/h(\mathcal {O})\), using only \({{\mathrm{poly}}}(\log q, \log \epsilon )\) operations. We can consider this sampling as follows: with probability \(1-\epsilon \), sample \(E_c\) uniformly, and with probability \(\epsilon \) sample it from an unknown distribution.

Now, if T forwarded \((E_a,E_b,E_{ab})\) untouched, then we immediately get

Averaging over the two outcomes concludes the proof.    \(\square \)

Finally, we define an isogeny-walk analogue of the classic Computational Diffie–Hellman (CDH) problem for groups. Using the same techniques as above, we can prove the security of the relevant protocols based only on CGA-CDH and IWD, without the generalized Riemann hypothesis.

Definition 4

(Class Group Action CDH (CGA-CDH)). Given \(E_a=\mathfrak a{\cdot }E_0\) and \(E_b=\mathfrak b{\cdot }E_0\) with \(\mathfrak a,\mathfrak b\overset{R}{\in }\mathcal {C}(\mathcal {O})\), compute the curve \(E_{ab}=\mathfrak {ab}{\cdot }E_0\).

Stolbunov proved the security of HHS Diffie–Hellman under the equivalent of CGA-DDH [62]. Repeating the same steps, we can prove the following theorem.

Theorem 1

If the CGA-DDH and IWD assumptions hold, assuming GRH, the key-agreement protocol defined by Algorithms 8 and 9 is session-key secure in the authenticated-links adversarial model of Canetti and Krawczyk [11].

Similarly, we can prove the IND-CPA security of the hashed ElGamal protocol derived from Algorithm 8 by replicating the techniques of e.g. [30, Sect. 20.4.11].

Theorem 2

Assuming CGA-CDH and IWD, the hashed ElGamal protocol derived from Algorithms 8 and 9 is IND-CPA secure in the random oracle model.

A heuristic discussion of the IWD assumption. From its very definition, the IWD problem depends on the probability distribution \(\sigma \) we use to sample random walks in the isogeny graph. In this paragraph, we provide heuristic arguments suggesting that the IWD instances generated by Algorithm 9 are hard, provided

  1. 1.

    the keyspace size is at least \(\sqrt{|\varDelta _K|}\), and

  2. 2.

    S is not too small, i.e. the number of isogeny degrees used is in \(\varOmega (\log q)\).

Proving rapid mixing of isogeny walks with such parameters seems out of reach at present, even under number-theoretic hypotheses such as GRH. The best results available, like [37, Theorem 1.5] (used in the proof of Lemma 1), typically require isogeny degrees in \(\varOmega ((\log q)^B)\) for some \(B>2\), and fully random walks that are not, for example, skewed towards smaller-degree isogenies.

However, numerical evidence suggests that these theoretical results are too weak. In [37, 7.2], it is asked whether an analogue of the previous theorem would be true with the sole constraint \(B>1\). In [31, Sect. 3], it is mentioned that many fewer split primes are needed to walk in the isogeny graph than theoretically expected. Practical evidence also suggests that the rapid mixing properties are not lost with skewed random walks: such walks are used in [28] to accelerate an algorithm solving Problem 1. We believe that these experiments can bring some evidence in favor of relying on the IWD assumptions with more aggressive parameters than those provided by GRH, although further investigation is required.

5.4 Key Validation and Active Security

Modern practice in cryptography mandates the use of stronger security notions than IND-CPA. From the DLP assumption, it is easy to construct protocols with strong security against active adversaries. For example, it is well-known that the hashed ElGamal KEM achieves IND-CCA security in the random oracle model under various assumptions [1, 2, 20].

All of these constructions crucially rely on key validation: that is, Alice must verify that the public data sent by Bob defines valid protocol data (e.g., valid elements of a cyclic group), or abort if this is not the case. Failure to perform key validation may result in catastrophic attacks, such as small subgroup [46], invalid point [6], and invalid curve attacks [14].

In our context, key validation amounts to verifying that the curve sent by Bob really is an element of \({{\mathrm{Ell}}}_q(\mathcal {O}_K)\). Failure to do so exposes Alice to an invalid graph attack, where Bob forces Alice onto an isogeny class with much smaller discriminant, or different Elkies primes, and learns something on Alice’s secret.

Fortunately, key validation is relatively easy for protocols based on the CRS primitive. All we need to check is that the received j-invariant corresponds to a curve with the right order, and with maximal endomorphism ring.

Verifying the curve order. Since we already know the trace t of the Frobenius endomorphism of all curves in \({{\mathrm{Ell}}}_q(\mathcal {O})\), we only need to check that the given E has order \(q+1-t\). Assuming that E is cyclic, or contains a cyclic group of order larger than \(4\sqrt{q}\), a very efficient randomized algorithm consists in taking a random point P and verifying that it has the expected order. This task is easy if the factorization of \(q+1-t\) is known.

Concretely, the curve given in Sect. 4 has order

$$ N = 2^2\,{\cdot }\, 3^2\, {\cdot }\, 5\, {\cdot }\, 7 {\cdot }\, 11\, {\cdot }\, 13^2\, {\cdot }\, 17\, {\cdot }\, 103\, {\cdot }\, 523\, {\cdot }\, 821\, {\cdot }\, 1174286389\, {\cdot }\, (\text {432-bit prime})\,, $$

and its group structure is \(\mathbb {Z}/2\mathbb {Z}\times \mathbb {Z}/\frac{N}{2}\mathbb {Z}\). To check that a curve is in the same isogeny class, we repeatedly take random points until we find one of order N / 2.

Verifying the endomorphism ring level. The curve order verification proves that \({{\mathrm{End}}}(E)\) is contained between \(\mathbb {Z}[\pi ]\) and \(\mathcal {O}_K\). We have already seen that there is only a finite number of possible rings: their indices in \(\mathcal {O}_K\) must divide d where \(d^2=\varDelta _\pi /\varDelta _K\). Ascending and descending isogenies connect curves with different endomorphism rings, thus we are left with the problem of verifying that E is on the crater of any \(\ell \)-volcano for \(\ell \mid d\). Assuming no large prime divides d, this check can be accomplished efficiently by performing random walks in the volcanoes, as described in [41, Sect. 4.2] or [26]. Note that if we choose \(\varDelta _\pi \) square-free, then the only possible endomorphism ring is \(\mathcal {O}_K\), and there is nothing to be done.

Concretely, for the curve of Sect. 4 we have \(\varDelta _\pi /\varDelta _K=2^2\), so there are exactly two possible endomorphism rings. Looking at the action of the Frobenius endomorphism, we see that \({{\mathrm{End}}}(E)=\mathcal {O}_K\) if and only if \(E[2]\simeq (\mathbb {Z}/2\mathbb {Z})^2\).

Example 2

Let p and \(\mathcal {O}\) be as in Sect. 4. Suppose we are given the value

in \(\mathbb {F}_p\). It is claimed that \(\alpha \) is in \({{\mathrm{Ell}}}_p(\mathcal {O})\); that is, it is a valid public key for the system with parameters defined in Sect. 4. Following the discussion above, to validate \(\alpha \) as a public key, it suffices to exhibit a curve with j-invariant \(\alpha \), full rational 2-torsion, and a point of order N / 2. Using standard formulæ, we find that the two \(\mathbb {F}_p\)-isomorphism classes of elliptic curves with j-invariant \(\alpha \) are represented by the Montgomery curve \(E_\alpha /\mathbb {F}_p: y^2 = x(x^2 + Ax + 1)\) with

and its quadratic twist \(E_\alpha '\). Checking the 2-torsion first, we have \(E_\alpha [2](\mathbb {F}_p) \cong E_\alpha '[2](\mathbb {F}_p) \cong (\mathbb {Z}/2\mathbb {Z})^2\), because \(A^2 - 4\) is a square in \(\mathbb {F}_p\). Trying points on \(E_\alpha \), we find that \((23,\sqrt{23(23^2 + 23A + 1)})\) in \(E_\alpha (\mathbb {F}_p)\) has exact order N / 2. We conclude that \({{\mathrm{End}}}(E_\alpha ) = \mathcal {O}\), so \(\alpha \) is a valid public key. (In fact, \(E_\alpha \) is connected to the initial curve by a single 3-isogeny step.)

Consequences for cryptographic constructions. Since both of the checks above can be done much more efficiently than evaluating a single isogeny walk, we conclude that key validation is not only possible, but highly efficient for protocols based on the CRS construction. This stands in stark contrast to the case of SIDH, where key validation is known to be problematic [32], and even conjectured to be as hard as breaking the system [68].

Thanks to this efficient key validation, we can obtain CCA-secure encryption from the CRS action without resorting to generic transforms such as Fujisaki–Okamoto [27], unlike the case of SIKE [4, 34]. This in turn enables applications such as non-interactive key exchange, for which no practical post-quantum scheme was known prior to [12].

6 Experimental Results

In order to demonstrate that our protocol is usable at standard security levels, we implemented it in the Julia programming language. This proof of concept also allowed us to estimate isogeny step costs, which we needed to generate the initial curve in Sect. 4. We developed several Julia packagesFootnote 9, built upon the computer algebra package Nemo [25]. Experiments were conducted using Julia 0.6 and Nemo 0.7.3 on Linux, with an Intel Core i7-5600U cpu at 2.60 GHz.

Consider the time to compute one step for an ideal \(\mathfrak s = (\ell ,\pi -\lambda )\). Using Elkies steps, this is approximately the cost of finding the roots of the modular polynomial: roughly \(0.017\cdot \ell \) seconds in our implementation. Using Vélu steps, the cost is approximately that of one scalar multiplication in \(E(\mathbb {F}_{q^r})\); timings for the extension degrees \(r\) relevant to our parameters appear in Table 2.

Table 2. Timings for computing scalar multiplications in \(E(\mathbb {F}_{p^r})\), the dominant operation in VéluStep (Algorithm 6), as a function of the extension degree r.
Full size table

Using this data, finding efficient walk length bounds \(M_\ell \) offering a sufficient keyspace size is easily seen to be an integer optimization problem. We used the following heuristic procedure to find a satisfactory solution. Given a time bound T, let KeySpaceSize(T) be the keyspace size obtained when each \(M_\ell \) is the greatest such that the total time spent on \(\ell \)-isogenies is less than T. Then, if n is the (classical) security parameter, we look for the least T such that \( \textsc {KeySpaceSize}(T)\ge 2^{2n} \) (according to Sect. 5), using binary search. While the \(M_\ell \) we obtain are most likely not the best possible, intuitively the outcome is not too far from optimal.

In this way, we obtain a proposal for the walk length bounds \(M_\ell \) to be used in Algorithm 8 along with the curve found in Sect. 4, to achieve 128-bit classical security. Table 3 lists the isogeny degrees amenable to Algorithm 6, each with the corresponding extension degree r (a star denotes that the twisted curve allows us to use both directions in the isogeny graph, as in Remark 1). Table 4 lists other primes for which we apply Algorithm 5.

Table 3. Primes \(\ell \) amenable to Algorithm 6 (VéluStep) for our candidate isogeny graph, with corresponding extension degrees r and proposed walk length bounds \(M_\ell \).
Full size table
Table 4. Primes \(\ell \) amenable to Algorithm 5 (ElkiesWalk) for our candidate isogeny graph, with proposed walk length bounds \(M_\ell \).
Full size table

Using these parameters, we perform one isogeny walk in approximately 520 s. These timings are worst-case: the number of isogeny steps is taken to be exactly \(M_\ell \) for each \(\ell \). This is about as fast as Stolbunov’s largest parameter [62], which is for a prime of 428 bits and a keyspace of only 216 bits.

We stress that our implementation is not optimised. General gains in field arithmetic aside, optimised code could easily beat our proof-of-concept implementation at critical points of our algorithms, such as the root finding steps in Algorithms 3 and 4.

For comparison, without Algorithm 6 the total isogeny walk time would exceed 2000 seconds. Our ideas thus yield an improvement by a factor of over 4 over the original protocol. A longer search for efficient public parameters would bring further improvement.

7 Conclusion

We have shown that the Couveignes–Rostovtsev–Stolbunov framework can be improved to become practical at standard pre- and post-quantum security levels; even more so if an optimized C implementation is made. The main obstacle to better performance is the difficulty of generating optimal system parameters: even with a lot of computational power, we cannot expect to produce ordinary curve parameters that allow us to use only Vélu steps. In this regard, the CSIDH protocol [12], which overcomes this problem using supersingular curves instead of ordinary ones, is promising.

One particularly nice feature of our protocol is its highly efficient key validation, which opens a lot of cryptographic doors. However, side-channel-resistant implementations remain an interesting problem for future work.