Identification Protocols and Signature Schemes Based on Supersingular Isogeny Problems

  • Steven D. GalbraithEmail author
  • Christophe Petit
  • Javier Silva
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10624)


We provide a new identification protocol and new signature schemes based on isogeny problems. Our identification protocol relies on the hardness of the endomorphism ring computation problem, arguably the hardest of all problems in this area, whereas the only previous scheme based on isogenies (due to De Feo, Jao and Plût) relied on potentially easier problems. The protocol makes novel use of an algorithm of Kohel-Lauter-Petit-Tignol for the quaternion version of the \(\ell \)-isogeny problem, for which we provide a more complete description and analysis. Our new signature schemes are derived from the identification protocols using the Fiat-Shamir (respectively, Unruh) transforms for classical (respectively, post-quantum) security. We study their efficiency, highlighting very small key sizes and reasonably efficient signing and verification algorithms.



We thank Dominique Unruh, David Pointcheval and Ali El Kaafarani for discussions related to this paper. Research from the second author was supported by a research grant from the UK government.


  1. 1.
    Abdalla, M., An, J.H., Bellare, M., Namprempre, C.: From identification to signatures via the fiat-shamir transform: minimizing assumptions for security and forward-security. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 418–433. Springer, Heidelberg (2002). CrossRefGoogle Scholar
  2. 2.
    Alon, N., Benjamini, I., Lubetzky, E., Sodin, S.: Non-backtracking random walks mix faster. Commun. Contemp. Math. 9(4), 585–603 (2007)MathSciNetCrossRefzbMATHGoogle Scholar
  3. 3.
    Bellare, M., Poettering, B., Stebila, D.: From identification to signatures, tightly: a framework and generic transforms. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 435–464. Springer, Heidelberg (2016). CrossRefGoogle Scholar
  4. 4.
    Biasse, J.-F., Jao, D., Sankar, A.: A quantum algorithm for computing isogenies between supersingular elliptic curves. In: Meier, W., Mukhopadhyay, D. (eds.) INDOCRYPT 2014. LNCS, vol. 8885, pp. 428–442. Springer, Cham (2014). Google Scholar
  5. 5.
    Bisson, G., Sutherland, A.V.: Computing the endomorphism ring of an ordinary elliptic curve over a finite field. J. Number Theory 131(5), 815–831 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
  6. 6.
    Charles, D.X., Lauter, K.E., Goren, E.Z.: Cryptographic hash functions from expander graphs. J. Cryptol. 22(1), 93–113 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
  7. 7.
    Childs, A.M., Jao, D., Soukharev, V.: Constructing elliptic curve isogenies in quantum subexponential time. J. Math. Cryptol. 8(1), 1–29 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
  8. 8.
    Costello, C., Longa, P., Naehrig, M.: Efficient algorithms for supersingular isogeny Diffie-Hellman. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 572–601. Springer, Heidelberg (2016). CrossRefGoogle Scholar
  9. 9.
    Damgård, I.: On \(\sigma \)-protocols. University of Aarhus, Department for Computer Science, Lecture Notes (2010)Google Scholar
  10. 10.
    Deligne, P.: La conjecture de Weil. I. Publications Mathématiques de l’Institut des Hautes Études Scientifiques 43(1), 273–307 (1974)MathSciNetCrossRefzbMATHGoogle Scholar
  11. 11.
    Deuring, M.: Die Typen der Multiplikatorenringe elliptischer Funktionenkörper. Abhandlungen aus dem Mathematischen Seminar der Universität Hamburg 14, 197–272 (1941). MathSciNetCrossRefzbMATHGoogle Scholar
  12. 12.
    Dewaghe, L.: Isogénie entre courbes elliptiques. Util. Math. 55, 123–127 (1999)MathSciNetzbMATHGoogle Scholar
  13. 13.
    Feige, U., Fiat, A., Shamir, A.: Zero-knowledge proofs of identity. J. Cryptol. 1(2), 77–94 (1988)MathSciNetCrossRefzbMATHGoogle Scholar
  14. 14.
    De Feo, L., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptol. 8(3), 209–247 (2014)MathSciNetzbMATHGoogle Scholar
  15. 15.
    Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). Google Scholar
  16. 16.
    Galbraith, S.D.: Constructing isogenies between elliptic curves over finite fields. LMS J. Comput. Math 2, 118–138 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    Galbraith, S.D., Petit, C., Shani, B., Ti, Y.B.: On the security of supersingular isogeny cryptosystems. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 63–91. Springer, Heidelberg (2016). CrossRefGoogle Scholar
  18. 18.
    Galbraith, S.D., Petit, C., Silva, J.: Signature schemes based on supersingular isogeny problems. Cryptology ePrint Archive, Report 2016/1154 (2016).
  19. 19.
    Gélin, A., Wesolowski, B.: Loop-abort faults on supersingular isogeny cryptosystems. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 93–106. Springer, Cham (2017). CrossRefGoogle Scholar
  20. 20.
    Hoory, S., Linial, N., Wigderson, A.: Expander graphs and their applications. Bull. Amer. Math. Soc. 43, 439–561 (2006)MathSciNetCrossRefzbMATHGoogle Scholar
  21. 21.
    Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 19–34. Springer, Heidelberg (2011). CrossRefGoogle Scholar
  22. 22.
    Jao, D., Soukharev, V.: Isogeny-based quantum-resistant undeniable signatures. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 160–179. Springer, Cham (2014). Google Scholar
  23. 23.
    Katz, J.: Digital Signatures. Springer, Heidelberg (2010)CrossRefzbMATHGoogle Scholar
  24. 24.
    Kedlaya, K.S., Umans, C.: Fast polynomial factorization and modular composition. SIAM J. Comput. 40(6), 1767–1802 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
  25. 25.
    Kohel, D.: Endomorphism rings of elliptic curves over finite fields. Ph.D. thesis, University of California, Berkeley (1996)Google Scholar
  26. 26.
    Kohel, D., Lauter, K., Petit, C., Tignol, J.-P.: On the quaternion \(\ell \)-isogeny path problem. LMS J. Comput. Math. 17A, 418–432 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
  27. 27.
    Nguyen, P.Q., Stehlé, D.: Low-dimensional lattice basis reduction revisited. ACM Trans. Algorithms 5(4), 46 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
  28. 28.
    Petit, C.: On the quaternion \(\ell \)-isogeny problem. Presentation slides from a talk at the University of Neuchâtel, March 2015Google Scholar
  29. 29.
    Petit, C.: Faster algorithms for isogeny problems using torsion point images. In: ASIACRYPT 2017 (2017, to appear).
  30. 30.
    Pizer, A.K.: Ramanujan graphs and Hecke operators. Bull. Am. Math. Soc. 23(1), 127–137 (1990)MathSciNetCrossRefzbMATHGoogle Scholar
  31. 31.
    Silverman, J.H.: The Arithmetic of Elliptic Curves. Springer, Heidelberg (1986)CrossRefzbMATHGoogle Scholar
  32. 32.
    Ti, Y.B.: Fault attack on supersingular isogeny cryptosystems. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 107–122. Springer, Cham (2017). CrossRefGoogle Scholar
  33. 33.
    Unruh, D.: Non-interactive zero-knowledge proofs in the quantum random oracle model. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 755–784. Springer, Heidelberg (2015). Google Scholar
  34. 34.
    Unruh, D.: Post-quantum security of Fiat-Shamir. In: ASIACRYPT 2017 (2017, to appear).
  35. 35.
    Venturi, D.: Zero-knowledge proofs and applications. University of Rome, Lecture Notes (2015)Google Scholar
  36. 36.
    Vignéras, M.-F.: Arithmétique des algébres de quaternions. Springer, Heidelberg (1980)CrossRefzbMATHGoogle Scholar
  37. 37.
    Voight, J.: Quaternion algebras (2017).
  38. 38.
    von zur Gathen, J., Shoup, V.: Computing Frobenius maps and factoring polynomials. Comput. Complex. 2, 187–224 (1992)MathSciNetCrossRefzbMATHGoogle Scholar
  39. 39.
    Vélu, J.: Isogénies entre courbes elliptiques. Commun. de l’Académie royale des Sci. de Paris 273, 238–241 (1971)zbMATHGoogle Scholar
  40. 40.
    Waterhouse, W.C.: Abelian varieties over finite fields. Ann. scientifiques de l’ENS 2, 521–560 (1969)MathSciNetzbMATHGoogle Scholar
  41. 41.
    Xi, S., Tian, H., Wang, Y.: Toward quantum-resistant strong designated verifier signature from isogenies. Int. J. Grid Util. Comput. 5(2), 292–296 (2012)Google Scholar
  42. 42.
    Yoo, Y., Azarderakhsh, R., Jalali, A., Jao, D., Soukharev, V.: A post-quantum digital signature scheme based on supersingular isogenies. In: Financial Crypto 2017 (2017)Google Scholar

Copyright information

© International Association for Cryptologic Research 2017

Authors and Affiliations

  • Steven D. Galbraith
    • 1
    Email author
  • Christophe Petit
    • 2
  • Javier Silva
    • 3
  1. 1.Mathematics DepartmentUniversity of AucklandAucklandNew Zealand
  2. 2.School of Computer ScienceUniversity of BirminghamBirminghamUK
  3. 3.Universitat Pompeu FabraBarcelonaSpain

Personalised recommendations