**Orientations and the supersingular endomorphism ring problem**

*Benjamin Wesolowski*

**Abstract: **We study two important families of problems in isogeny-based cryptography and how they relate to each other: computing the endomorphism ring of supersingular elliptic curves, and inverting the action of class groups on oriented supersingular curves. We prove that these two families of problems are closely related through polynomial-time reductions, assuming the generalised Riemann hypothesis.

We identify two classes of essentially equivalent problems. The first class corresponds to the problem of computing the endomorphism ring of oriented curves. The security of a large family of cryptosystems (such as CSIDH) reduces to (and sometimes from) this class, for which there are heuristic quantum algorithms running in subexponential time. The second class corresponds to computing the endomorphism ring of orientable curves. The security of essentially all isogeny-based cryptosystems reduces to (and sometimes from) this second class, for which the best known algorithms are still exponential.

Some of our reductions not only generalise, but also strengthen previously known results. For instance, it was known that in the particular case of curves defined over $\mathbb F_p$, the security of CSIDH reduces to the endomorphism ring problem in subexponential time. Our reductions imply that the security of CSIDH is actually equivalent to the endomorphism ring problem, under polynomial time reductions (circumventing arguments that proved such reductions unlikely).

**Category / Keywords: **Isogeny-based cryptography, cryptanalysis, endomorphism ring, class group, orientation

**Date: **received 2 Dec 2021, last revised 14 Dec 2021

**Contact author: **benjamin wesolowski at math u-bordeaux fr

**Available format(s): **PDF | BibTeX Citation

**Version: **20211214:100130 (All versions of this report)

**Short URL: **ia.cr/2021/1583

[ Cryptology ePrint archive ]