Paper 2021/1583

Orientations and the supersingular endomorphism ring problem

Benjamin Wesolowski


We study two important families of problems in isogeny-based cryptography and how they relate to each other: computing the endomorphism ring of supersingular elliptic curves, and inverting the action of class groups on oriented supersingular curves. We prove that these two families of problems are closely related through polynomial-time reductions, assuming the generalised Riemann hypothesis. We identify two classes of essentially equivalent problems. The first class corresponds to the problem of computing the endomorphism ring of oriented curves. The security of a large family of cryptosystems (such as CSIDH) reduces to (and sometimes from) this class, for which there are heuristic quantum algorithms running in subexponential time. The second class corresponds to computing the endomorphism ring of orientable curves. The security of essentially all isogeny-based cryptosystems reduces to (and sometimes from) this second class, for which the best known algorithms are still exponential. Some of our reductions not only generalise, but also strengthen previously known results. For instance, it was known that in the particular case of curves defined over $\mathbb F_p$, the security of CSIDH reduces to the endomorphism ring problem in subexponential time. Our reductions imply that the security of CSIDH is actually equivalent to the endomorphism ring problem, under polynomial time reductions (circumventing arguments that proved such reductions unlikely).

Available format(s)
Publication info
A minor revision of an IACR publication in EUROCRYPT 2022
Isogeny-based cryptographycryptanalysisendomorphism ringclass grouporientation
Contact author(s)
benjamin wesolowski @ math u-bordeaux fr
2022-03-21: last of 3 revisions
2021-12-03: received
See all versions
Short URL
Creative Commons Attribution


      author = {Benjamin Wesolowski},
      title = {Orientations and the supersingular endomorphism ring problem},
      howpublished = {Cryptology ePrint Archive, Paper 2021/1583},
      year = {2021},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.