We consider two problems of foundational importance to isogeny-based cryptography, a branch of post-quantum cryptography: the endomorphism ring problem and the path-finding problem in isogeny graphs, for supersingular elliptic curves. The hardness of the first is necessary for isogeny-based cryptography to be secure [GPST16, CPV20]. Reciprocally, some cryptosystems (the earliest of which being [CLG09]) are proven secure if the second is hard. Both problems are believed to be equivalent, thereby constituting the bedrock of isogeny-based cryptography. However, known reductions rely on a variety of heuristic assumptions [PL17, EHM17, EHL18]. To arithmeticians, the endomorphism ring problem is simply the computational incarnation of the Deuring correspondence [Deu41]. This arithmetic theory met graph theory in the work of Mestre [Mes86] and Pizer [Piz90], and the related computational questions have been studied since [Koh96], yet the literature still heavily relies on heuristics.
This paper aims for a rigorous study of these problems from the generalised Riemann hypothesis (henceforth, GRH). As tools, we develop a rigorous algorithm to solve norm equations in quaternion algebras, and a rigorous variant of the heuristic algorithm from [KLPT14] for the quaternion analog of the path-finding problem, overcoming obstacles previously deemed “beyond the reach of existing analytic number theory techniques” [GPS20]. As an application we prove that the path-finding problem in -isogeny graphs and the endomorphism ring problem for supersingular elliptic curves are equivalent under reductions of polynomial expected time.
1.1. Hard problems for isogeny-based cryptography
The first isogeny-based cryptosystems were proposed by Couveignes in 1997 [Cou06]. This work was only made public in 2006, when the idea reemerged in [CLG09]. The latter introduced the path-finding problem in supersingular -isogeny graphs as a possible hard problem upon which cryptosystems can be constructed.
To any primes and are associated a so-called supersingular -isogeny graph. It is a regular graph of degree and counting approximately vertices. Each vertex of the graph is a supersingular elliptic curve, and edges correspond to -isogenies
between them (a particular kind of morphisms between elliptic curves). Most importantly, these graphs are Ramanujan, i.e., optimal expander graphs. This implies that random walks quickly reach the uniform distribution. Starting from an elliptic curve, one can compute a chain of random -isogenies until the endpoint is uniformly distributed. Then, given only and , it seems hard to recover a path connecting them. This is the key of the preimage-resistant CGL hash function [CLG09], and the first of our problems of interest.
Problem 1.1 ().
Given a prime , and two supersingular elliptic curves and over , find a path from to in the -isogeny graph.
Isogeny-based cryptography has since grown considerably, when Jao and De Feo [JD11] noticed that it allows to build “post-quantum” cryptosystems, supposed to resist an adversary equipped with a quantum computer. There is today a wealth of other public-key protocols [CLM18, DKPS19, Cos20] (including a Round 3 candidate [JAC17] for NIST’s standardisation effort), signature schemes [BKV19, DG19, GPS20, DKL20] or other cryptosystems [DMPS19, BKW20] built on the presumed hardness of finding isogenies connecting supersingular elliptic curves.
The precise relation between the security of these schemes and the supposedly hard problem is a critical question. Some of these schemes, like [CLG09] or [GPS20], are known to be secure if finding isogeny paths is hard. The reciprocal has been unclear: if one can solve efficiently, is all of isogeny-based cryptography broken? The first element of response was discovered in [GPST16] by taking a detour through another problem. They prove that an efficient algorithm to solve the closely related endomorphism ring problem allows to break the Jao–De Feo key exchange, and essentially all schemes of this type (see [FKM21]). Similarly, it was proven in [CPV20] that the security of CSIDH [CLM18] and its variants (an a priori very different family of cryptosystems) also reduces to the endomorphism ring problem, via a sub-exponential reduction.
Given an elliptic curve , an endomorphism is an isogeny from to itself. The set of all endomorphisms of , written , is a ring, where the addition is pointwise and multiplication is given by composition. Loops in -isogeny graphs provide endomorphisms, hence the connection between path-finding problems and computing endomorphism rings. Since the curves considered are supersingular, the endomorphism rings are always generated by four elements (as a lattice), and they are isomorphic to certain subrings of a quaternion algebra , called maximal orders. The problem of computing the endomorphism ring comes in two flavours. The first actually looks for endomorphisms.
Problem 1.2 (EndRing).
Given a prime , and a supersingular elliptic curves over , find four endomorphisms of (in an efficient representation) that generate as a lattice.
By an efficient representation for endomorphisms , we mean that there is an algorithm to evaluate for any in time polynomial in the length of the representation of and in . We also assume that an efficient representation of has length . The second version asks for an abstract description of .
Problem 1.3 (MaxOrder).
Given a prime , and a supersingular elliptic curves over , find four quaternions in that generate a maximal order such that .
Neither of them clearly reduces to the other, and in [GPST16], it is only proven that solving both simultaneously allows to break cryptosystems. Many works have been studying the three problems , EndRing and MaxOrder, as early as [Koh96], originally motivated by the importance of these structures in arithmetic geometry. With the increasing practical impact of these problems, it has become critical to understand their relations. It was shown in [EHL18] that, under several heuristic assumptions, all three appear to be equivalent.
We prove that the problems , EndRing and MaxOrder are equivalent under reductions of polynomial expected time, assuming the generalised Riemann hypothesis. In doing so, we develop new tools for a rigorous study of these problems.
Most importantly, we develop a new, rigorous variant of the heuristic algorithm of [KLPT14] for QuaternionPath, a quaternion analog of . This algorithm (and its variants) is a crucial component of the reductions, but is also a powerful cryptanalytic tool [GPST16] and a building-block for cryptosystems [DKPS19, GPS20, DKL20]. More precisely, we solve in polynomial time the following problem for very flexible choices of , including the most important variants -QuaternionPath and -PSQuaternionPath.
Problem 1.4 (QuaternionPath).
Given two maximal orders and in and a set of positive integers, find a left -ideal such that and (definitions provided in Section 2.2). If is the set of powers of a prime , we call the corresponding problem -QuaternionPath. If is the set of -powersmooth integers for some , we call the corresponding problem -PSQuaternionPath.
The design and analysis of this new algorithm spans several sections of the present article.
In Section 3, we combine some algorithmic considerations in euclidean lattices and the Chebotarev density theorem to prove that given an ideal in a maximal order, one can efficiently find an equivalent prime ideal (Theorem 3.7). This serves as a preconditioning step in our algorithm, and has a heuristic analog in [KLPT14].
In Section 4, we prove bounds in the number of ways to represent an integer as a linear combination of a prime and a quadratic form. This is a generalisation of a classic problem of Hardy and Littlewood [HL23] on representing integers as . The proof resorts to analytic number theory, and the result, Theorem 4.2, unlocks the analysis of algorithms to solve certain diophantine equations in the following section.
where and are positive integers, is a positive definite, integral, binary quadratic form, and is a integral matrix. The key allowing a rigorous analysis is to randomise the class of within its genus using random walks, and apply the results of the previous section. As a first application, we use this algorithm to solve norm equations in special maximal orders in Corollary 5.8.
Note that our efforts are focused on obtaining rigorous, polynomial-time algorithms, with little consideration for practical efficiency, hence we spend little energy on calculating or optimising the hidden constants. A fast implementation should certainly follow the heuristic algorithm [KLPT14], only resorting to our rigorous variant when unexpected obstructions are encountered.
This new algorithm at hands, we then tackle the various reductions between , EndRing and MaxOrder. They are similar to heuristic methods from the literature, and notably [EHL18], with a number of substantial differences that allow a rigorous analysis. Note that our chain of reductions has a different structure from [EHL18].
We start in Section 7 by proving that and MaxOrder are equivalent. To do so, we adapt previous heuristic methods, essentially replacing their reliance on [KLPT14] with the new rigorous variants. In particular, we prove that there is a polynomial time algorithm to convert certain ideals of prime power norm into isogenies.
Finally, we prove in Section 8 that MaxOrder and EndRing are equivalent. The reduction from EndRing to MaxOrder is essentially the same as the heuristic reduction from [EHL18], adapted to our new rigorous tools. The converse requires more work: the reduction from MaxOrder to EndRing in [EHL18]
encounters several large random numbers which are hoped to be easy to factor with good probability. We propose a strategy that provably avoids hard factorisations, exploiting the tools developed in Section3.
Note that we do not a priori restrict the size of solutions to the three problems; however, our reductions polynomially preserve bounds on the output size. In particular, all reductions preserve the property of having a polynomially bounded output size, a requirement in [EHL18]. This allows the reductions to be more versatile, and apply for instance if one discovers an algorithm that solves with paths of superpolynomial length.
The statements , and are synonymous, where is the classic big O notation. We write to signify that the hidden constants depend on . We denote by , , and the ring of integers, the set of positive integers, and the field of rational numbers. For any prime power , we denote by the finite field with elements. The function denotes the natural logarithm. The size of a set is denoted by . If and are two integers, the greatest common divisor of and is written . We write if divides , or if all prime factors of divide , or if and . The number of divisors of is denoted by , and the number of prime divisors by , and Euler’s totient is . If is a ring and a positive integer, is the ring of matrices with coefficients in . All statements containing the mention (GRH) assume the generalised Riemann hypothesis.
2.1. Quadratic forms
We will extensively use the theory of quadratic forms; the reader can find more details on the theory, with a computational perspective, in [Coh13]. A quadratic form of dimension is a polynomial in variables whose terms all have degree . A quadratic form in the variable is determined by its Gram matrix , a symmetric matrix such that
For computational purposes, we assume that quadratic forms are represented as their Gram matrix, and we let be the total binary length of its coefficients. The form is integral if for any , or equivalently, if and . If is integral and , we say that represents if there exists such that . The form is definite if implies , and it is positive if for all . It is primitive if the greatest common divisor of all integers represented by is . It is binary if . The discriminant of is
To any quadratic form is associated a symmetric bilinear form
Given the bilinear form, one can recover the Gram matrix as , where is the canonical basis. If , let be the quadratic form defined by , with Gram matrix . A quadratic space is a
-vector space of finite dimension together with aquadratic map such that for any (hence all) basis of , we have that is a quadratic form in . A lattice is a full-rank -submodule in a positive definite quadratic space. The discriminant of a lattice is the discriminant of the quadratic form induced by any of its bases. Any positive definite induces a lattice structure on , via the canonical basis. The geometric invariants of this lattice induce invariants of . The volume of is . The covering radius is the smallest such that for any , we have . We will use the following bound.
If is integral, then , where is Hermite’s constant.
Let be the successive minima of . We have . By Minkowski’s second theorem, and since is integral, , hence ∎
2.2. Quaternion algebras
An algebra is a quaternion algebra over if there exist and such that is a -basis for and
Given and , the corresponding algebra is denoted by . Write an arbitrary element of as with . The quaternion algebra has a canonical involution . It induces the reduced trace and the reduced norm
The latter is a quadratic map, which makes a quadratic space, and endows its -submodules with a lattice structure. The corresponding bilinear form is
If is a full-rank lattice in , the reduced norm of is . We associate to the normalised quadratic map
An order in is a full-rank lattice that is also a subring. It is maximal if it is not contained in any other order. For any lattice , we define the left order of and the right order of as
If is a maximal order, and is a left ideal in , then and is another maximal order. Given two maximal orders and , their connecting ideal is the ideal
which satisfies and .
Let be a maximal order. Two left -ideals and are equivalent if there exists such that . The set of classes for this equivalence relation is the (left) ideal class set of , written . The class of is written .
To any prime number , one associates a quaternion algebra . In algebraic terms, is defined as the unique quaternion algebra over ramified exactly at and . Explicitly, it is given by the following lemma, from [Piz80].
Let be a prime. Then, , where
where is the smallest prime such that and . Assuming GRH, we have , which can thus be computed in polynomial time in .
For a given quaternion algebra, the defining pair is not unique. However, in the rest of this article, the algebra will always be associated to the pair given in Lemma 2.2, and the induced basis . For each , we distinguish a maximal order in , and a useful suborder in the following lemma. This order will be reffered to as the special maximal order of .
For any , the quaternion algebra contains the maximal order
where in the last case is an integer such that . Assuming GRH, the maximal order contains the suborder with index , where is the ring of integers of . If is a reduced generator of , then
where is a principal, primitive, positive definite, integral binary quadratic form of discriminant .
If is any maximal order in , then . In fact, for any left -ideal , we have and the normalised quadratic map has discriminant . The following lemma tells us that the integers represented by are the norms of ideals equivalent to .
Lemma 2.4 ([Klpt14, Lemma 5]).
Let be a left -ideal, and . Then, is an equivalent left -ideal of norm .
2.3. Supersingular elliptic curves
A detailed account of the theory of elliptic curves can be found in [Sil86]. An elliptic curve is an abelian variety of dimension . More explicitly, given a field of characteristic , an elliptic curve can be described as an equation for with . The -rational points of is the set of pairs satisfying the curve equation, together with a point ‘at infinity’. They form an abelian group, written additively, where is the neutral element. The geometric points of are the -rational points, where is the algebraic closure of .
Let and be two elliptic curves defined over . An isogeny is a non-constant rational map that sends to . It is then a group homomorphism from to , and is its kernel over the algebraic closure, written , is finite. The degree is the degree of as a rational map. When is coprime to , then . The degree is multiplicative, in the sense that . For any integer , the multiplication-by- map is an isogeny. For any isogeny , its dual is the unique isogeny such that . If is prime, we say that is an -isogeny. Any isogeny factors as a product of isogenies of prime degrees, hence -isogenies are basic building blocks. An isogeny of degree coprime to is uniquely determined by its kernel. Given this kernel, one can compute equations for the isogeny is time polynomial in and via Vélu’s formula [Vél71]. An isogeny can be represented in size polynomial in and , for instance as a rational map, or by a generator of its kernel. The output of is a chain of -isogenies of length ; it corresponds to an isogeny of degree , but should be represented as a sequence of -isogenies (so that the length of the representation is polynomial in and instead of ).
An isomorphism is an isogeny of degree . We say that and are isomorphic over (an extension of ) if there is an isomorphism between them that is defined over . The -invariant of is . We have if and only if and are isomorphic over the algebraic closure of . It is then simple to test -isomorphism. It is also simple to compute explicit isomorphisms.
An endomorphism of is an isogeny from to itself. The endomorphism ring is the collection of these endomorphisms, together with the trivial map . It is a ring for pointwise addition, and for composition of maps. The map is an embedding. In that sense, contains as a subring, but it is always larger (in positive characterisic). The curve is supersingular if has rank as a -module. Then, is isomorphic to a maximal order in the quaternion algebra , defined in Section 2.2. Up to -isomorphism, all supersingular elliptic curves are defined over , and there are of them, with . Fix a prime . The supersingular -isogeny graph (for ) is the graph whose vertices are these supersingular elliptic curves (up to isomorphism), and there is an edge from to for each -isogeny from to . It is a regular graph of degree (because any has subgroups of order , each inducing an isogeny of kernel ). The -isogeny graph is Ramanujan. In particular, random walks rapidly converge to the uniform distribution, and any two curves of the graph are connected by an isogeny of degree with .
2.4. The Deuring correspondence
As already mentioned, given a supersingular elliptic curve over , its endomorphism ring is isomorphic to a maximal order in . This Deuring correspondence is in fact a bijection
A more detailed account of the theory can be found in [Voi21, Chapter 42].
We have identified a special order in Lemma 2.3, and it is natural to wonder what the corresponding elliptic curve may be. If , then the curve defined by is supersingular. It is defined over , so has the Frobenius endomorphism . Furthermore, if satisfies , it is easy to check that is also an endomorphism. These endomorphisms generate almost all : we actually have
Since and , we have . More generally, we have the following result.
Lemma 2.5 ([Ehl18, Proposition 3]).
Let as in Lemma 2.3. There is an algorithm that for any prime computes an elliptic curve over and such that
is an isomorphism, and runs in time polynomial in (if , we assume GRH).
The Deuring correspondence runs deeper than a simple bijection: it also preserves morphisms between the two categories. Given any isogeny , let , where is the set of isogenies from to . This object is a left -ideal, hence . Furthermore, . In other words, connects to , just as connects to . This construction preserves the ‘quadratic structure’, in the sense that .
Conversely, suppose is a left -ideal. Then, we can construct an isogeny as the unique isogeny with kernel These two constructions are mutual inverses, meaning that for any and , we have and . The translation from to can be computed efficiently, provided that is an ideal in the special order from Lemma 2.3, and that is powersmooth (its prime-power factors are polynomially bounded). This is the following lemma. Only the case is considered in [GPS20], but as noted in [EHL18], it easily extends to arbitrary .
3. Quadratic forms and prime sampling
In this section, we consider the following problem: given an integral, primitive, positive definite quadratic form of rank , find such that is prime. We then give a first application of this problem, for finding ideals of prime norm in a given ideal class of a maximal order of .
3.1. Sampling primes
Let be an integral, primitive, positive definite quadratic form. In this section, we discuss the problem of sampling vectors in so that is prime. Let us first focus on the binary case, for which the following theorem tells that an important proportion of vectors represent primes. It is a classical consequence of the effective Chebotarev density theorem under GRH, due to Lagarias and Odlyzko [LO77].
Theorem 3.1 (Grh).
If is an integral, primitive, positive definite, binary quadratic form of discriminant , the number of primes at most represented by is
where is is is equivalent to , and otherwise.
The quantity should be compared to the cardinality of
, which we estimate in the following lemma, in a slightly more general form for later purposes.
For any integral, positive definite, binary quadratic form , any and any , we have
For any , let be the volume of the standard 2-ball of radius . It is a classical application of the covering radius that
This comes from the fact that Voronoi cells of have volume and diameter . From Lemma 2.1 with Hermite’s constant , we have . We obtain
from which the result follows. ∎
Let be a primitive, positive definite, integral, binary quadratic form, and let . There is an algorithm that samples uniformly random elements from
in polynomial time in and in .
Let be the ball of radius around the origin. Let , and we wish to sample uniformly in . First, compute a Minkowski-reduced basis of with . If , then , and we can uniformly sample such that and return . We may now assume that , which implies , with the covering radius of . Let be the Voronoi cell around the origin. Given any , a closest lattice vector is an element such that . This closest vector can be computed efficiently in dimension , and is unique for almost all : only the boundaries of Voronoi cells are ambiguous. We sample as follows:
Solve the closest vector problem for , resulting in (unique with probability ).
If , return it; otherwise restart.
Let us analyse the distribution of when is uniform. For any , we have , hence
In particular, for does not depend on , which proves that the output of the sampling procedure is uniform in . Finally,
which proves that the procedure succeeds after an expected constant number of trials. ∎
Proposition 3.4 (Grh).
Let be a primitive, positive definite, integral, binary quadratic form. For any , there is an algorithm that finds integers such that is a prime number at most , and runs in polynomial time in .
From Lemma 3.3, one can sample uniformly random pairs of integers such that . We conclude by combining Lemma 3.2 and Theorem 3.1 (with , see for instance [Coh08, p. 138]), which imply that a uniformly random vector represents a prime with good probability. The in the exponent comes from the crossover point between the main term and the error term in Theorem 3.1. ∎
Proposition 3.5 (Grh).
Let be a primitive, positive definite, integral quadratic form of dimension . For any , there is an algorithm that finds a vector such that is a prime number at most (or if ), and runs in polynomial time in .
We are looking for two integral vectors and that generate a primitive binary quadratic form . We then apply Proposition 3.4 to .
Compute an LLL-reduced [LLL82] basis of so that and . Let . Then, factor where each seems hard to factor further, and they are pairwise coprime. For each , we now describe a procedure that will either reveal new factors of (in which case we can restart with this new piece of information), or find a vector such that is coprime to . We proceed as follows:
We compute the greatest common divisor of with each of and (i.e., the coefficients of in the basis ).
These common divisors cannot all be equal to since is primitive. So either one of them is a non-trivial factor of (and we restart), or one of them is .
If there is an index such that , we return .
Otherwise, there are indices and with , and . Then, we return .
Now, let , and as desired, . We have , and the form is primitive. It has volume at most . If , we have , and if , we have . The result then follows from Proposition 3.4. ∎
In applications, we will often need to find vectors representing primes that are large enough (but not too large). This can be done in a straighforward adaptation of the above strategy.
Proposition 3.6 (Grh).
There exists a constant and an algorithm such that the following holds. Let be a primitive, positive definite, integral quadratic form of dimension . For any , the algorithm outputs a vector such that is a prime number between and , and runs in polynomial time in and .
As in the proof of Proposition 3.5, can compute a sub-basis of that induces a primitive binary quadratic form of discriminant at most . Applying Lemma 3.3, one can sample uniformly random pairs such that . From Theorem 3.1, is prime and larger that with good probability, provided that is large enough. ∎
3.2. Computing equivalent ideals of prime norm
The above results will be important in the rest of the article, and we can already prove them useful with a first important application. Consider a maximal order in and a left -ideal . We can compute an equivalent ideal of prime norm as an immediate consequence of Proposition 3.5.
Theorem 3.7 (Grh).
For any , Algorithm 1 is correct and runs in expected polynomial time in and , and the output has reduced norm .
It follows from Proposition 3.5, and the fact that is a primitive, positive-definite, integral quadratic map of discriminant . ∎
Recall that our efforts are focused on provability, and the constants we obtain are certainly not tight. In [KLPT14, Section 3.1], the analogue heuristic algorithm is expected to return of norm most of the time, and they argue that in the worst case, one could possibly obtain .
For our applications, we need a slightly more powerful version.
Proposition 3.8 (Grh).
There is a constant and an algorithm which on input a left ideal , a bound , and a prime , returns an ideal equivalent to such that is a prime between and , and is a non-quadratic residue modulo , and runs in polynomial time in , , and .
Apply Algorithm 1 with two modifications. First, we use Proposition 3.6 instead of Proposition 3.5. Second, assuming we consider a sublattice in place of , where the quotient is generated by any element such that and is a non-quadratic residue modulo . It follows from quadratic reciprocity that for any in the lattice, when is prime, then is a non-quadratic residue modulo . Similarly, if , we consider a sublattice where the quotient is generated by any element such that . ∎
4. Representing integers with quadratic forms and primes
In this section, we count the number of ways to represent an integer in the form , where the integers and and the quadratic form are fixed, and is required to be prime. The bounds we obtain are key to the analysis of algorithms designed in the following sections. The proof resorts to analytic number theory. The reader only interested in computational applications can safely read up to Corollary 4.3 before skipping to the next section.
We fix the following notation for the rest of the section. Let be a primitive, integral, positive definite, binary quadratic form of discriminant where is fundamental. Let . Let be positive integers with . Let be the Kronecker symbol , primitive of conductor . Let be a positive integer such that . Finally, let
The goal of this section is to obtain lower bounds on the size of .
The problem at hand is a generalisation of the classic problem of Hardy and Littlewood [HL23] of representing integers as , where is prime. The number of representations of an integer by is Following a classical approach to the Hardy and Littlewood problem, we can write
Unfortunately, controlling is in general a difficult task. However, we know more about the number of representations of in the genus of . We indeed have the following classical theorem (see for instance [Pal33]).
Let be a primitive, integral, binary quadratic form of discriminant