Supersingular Curves You Can Trust

. Generating a supersingular elliptic curve such that nobody knows its endomorphism ring is a notoriously hard task, despite several isogeny-based protocols relying on such an object. A trusted setup is often proposed as a workaround, but several aspects remain unclear. In this work, we develop the tools necessary to practically run such a distributed trusted-setup ceremony. Our key contribution is the first statistically zero-knowledge proof of isogeny knowledge that is compatible with any base field. To prove statistical ZK, we introduce isogeny graphs with Borel level structure and prove they have the Ramanujan property. Then, we analyze the security of a distributed trusted-setup protocol based on our ZK proof in the simplified universal composability framework. Lastly, we develop an optimized implementation of the ZK proof, and we propose a strategy to concretely deploy the trusted-setup protocol.


Introduction
Be it foundationally or for efficiency, most of isogeny based cryptography is built upon supersingular elliptic curves [13,36,11,23,31,22,17].At the heart of it, lies the supersingular isogeny graph: a graph whose vertices represent supersingular elliptic curves (up to isomorphism) and whose edges represent isogenies (up to isomorphism) of some fixed small prime degree between them.A foundational hard problem for isogeny based cryptography is then: given two supersingular elliptic curves, find a path in the supersingular isogeny graph connecting them.
An endomorphism is an isogeny from a curve E to itself, and their collection forms the endomorphism ring End(E).In recent years, the connection between finding isogeny paths and computing endomorphism rings of supersingular curves has become increasingly important [29,26,54,53].It is now established that, assuming the generalised Riemann hypothesis, there exists probabilistic polynomial time algorithms for these two problems: 1. Given supersingular elliptic curves E 0 , E 1 along with descriptions of their endomorphism rings, compute an isogeny path E 0 → E 1 ; 2. Given a supersingular elliptic curve E 0 along with a description of its endomorphism ring, and given an isogeny path E 0 → E 1 , compute a description of the endomorphism ring of E 1 .
These algorithms-and variants-have successfully been used both constructively [31,22,17] and for cryptanalysis [29,44,46,26,23,28].Without the additional information above, computing the endomorphism ring of an arbitrary supersingular curve remains a hard problem, both for classical and quantum computers.Given the importance of this problem, it is natural to ask whether it is possible to sample supersingular curves such that computing their endomorphism ring is a hard problem, crucially, even for the party who does the sampling.We shall call these objects Supersingular Elliptic Curves of Unknown Endomorphism Ring, or Secuer1 in short.
Applications.Generating a Secuer has turned out to be a delicate task, and no such curve has ever been generated.Yet, several isogeny based schemes can only be instantiated with a Secuer.This is the case, for example, of isogeny based verifiable delay functions [23] and delay encryption [8].The so-called CGL hash function based on supersingular curves [13] has been shown to be broken by the knowledge of the endomorphism ring [26], and one possible fix is to instantiate it with a Secuer.Other protocols which require a Secuer include hash proof systems, dual mode PKE [1], oblivious transfer [38], and commitment schemes [49].
Contributions.We analyze and put into practice a protocol for distributed generation of Secuers.Our main technical contribution is a key ingredient of the protocol: a new proof of isogeny knowledge (two curves E 0 and E 1 being public, a party wishes to prove that they know an isogeny E 0 → E 1 without revealing it).Our proof is similar to the SIDH proof of knowledge [20,18], but extends it in a way that makes it compatible with any base field, any walk length, and has provable statistical zero-knowledge (unlike any previous proof of isogeny knowledge).In particular, its statistical security makes it fully immune to the recent attacks [10,41,47].
To prove statistical security, we analyze supersingular ℓ-isogeny graphs with level structure, a generalization of isogeny graphs that was recently considered in [22,3].We prove that these graphs, like classic isogeny graphs, possesses the Ramanujan property, a fact that is of independent interest.Using the property, we analyze the mixing behavior of random walks, which lets us give very precise parameters to instantiate the proof of knowledge at any given security level.
To show that the resulting protocol is practical, we implement it on top of Microsoft's SIDH library2 and benchmark it for each of the standard SIKE primes [35].We must stress that SIDH-style primes are possibly the most favorable to our protocol, in terms of practical efficiency.
Finally, we sketch a roadmap to run the distributed generation protocol for the SIKE primes in a real world setting with hundreds of participants.
Limitations.We must point out that our new proof of knowledge is not well adapted to a secure distributed generation protocol in the case where one wants to generate a Secuer defined over a prime field F p , instead of F p 2 , such as in [1,38].Different proofs of knowledge [19,5] could be plugged in the distributed protocol for the F p case, however their practical usability is dubious.

Generating a Secuer
The cornerstone of isogeny based cryptography is the endomorphism ring problem: if it could be solved efficiently, then all of supersingular isogeny based cryptography would be broken [29,26,53], leaving only ordinary isogeny based cryptography [16,50,21] standing.
Definition 1 (Endomorphism ring problem).Given a supersingular curve E/F p 2 , compute its endomorphism ring End(E).That is, compute an integral basis for a maximal order O of the quaternion algebra ramified at p and ∞, as well as an explicit isomorphism O ≃ End(E).
For any p, there exists a polynomially sized subset of all supersingular curves for which the endomorphism ring can be computed in polynomial time [12,40], but the problem is believed to be exponentially hard in general, even for quantum computers.A related problem, commonly encountered in isogeny protocols, is finding paths in supersingular isogeny graphs.
Definition 2 (Isogeny ℓ-walk problem).Given two supersingular curves E, E ′ /F p 2 of the same order, and a small prime ℓ, find a walk from E to E ′ in the ℓ-isogeny graph.
Such walks are always guaranteed to exist, as soon as they are allowed to have length in O(log(p)) [42,45,37,13].The two problems are known to be polynomial time equivalent, assuming GRH [54].Indeed, given End(E) and End(E ′ ), it is easy to compute a path E → E ′ .Reciprocally, given End(E) and a path E → E ′ , it is easy to compute End(E ′ ); and, by random self-reducibility, we can always assume that one of End(E) or End(E ′ ) is known.
Our goal is to generate a Secuer: a curve for which the endomorphism ring problem is hard, and consequently one for which it is hard to find a path to any other given curve.
What does not work.The supersingular elliptic curves over a finite field k of characteristic p are those such that #E(k) = 1 mod p.Any supersingular curve is isomorphic to one defined over a field with p 2 elements, thus, without loss of generality, we are only interested in supersingular curves defined over F p 2 .Among the p 2 isomorphism classes of elliptic curves over F p 2 , only ≈ p/12 of them correspond to supersingular curves.
The standard way to construct supersingular curves is to start from a curve with complex multiplication over a number field, and then reduce modulo p. Complex multiplication elliptic curves have supersingular reduction modulo 50% of the primes, thus this technique quickly produces supersingular curves for almost all primes.For example, the curve y 2 = x3 + x, which has complex multiplication by the ring Z[i] of Gaussian integers, is supersingular modulo p if and only if p = 3 mod 4. Most isogeny based protocols are instantiated using precisely this curve as starting point.These curves are not Secuers, though, because from the information on complex multiplication one can compute the endomorphism ring in polynomial time [12,40].
As p grows, the curves with computable 3 complex multiplication form only a negligible fraction of all supersingular curves in characteristic p, so we may still hope to get a Secuer if we can sample a supersingular curve at random from the whole set.The natural way to do so is to start from a well known supersingular curve, e.g.E 0 : y 2 = x 3 + x, take a random walk E 0 → E 1 in the isogeny graph, and then select the arrival curve E 1 .But, by virtue of the reductions mentioned above, any E 1 constructed this way cannot be called a Secuer either.
Several other techniques have been considered for generating Secuers, however all attempts have failed so far [6,43].
Distributed generation of Secuers.An obvious solution that has been proposed for schemes that need a Secuer is to rely on a trusted party to start from a special curve E 0 and to perform an isogeny walk to a random curve E 1 .Although E 1 is not a Secuer, if the trusted party keeps the walk E 0 → E 1 secret, no one else will be able to compute End(E 1 ).
Of course, relying on a trusted third party is undesirable.The natural next step is to turn this idea into a distributed protocol with t parties generating a sequence of walks First, suppose that the sequence was generated honestly: the i-th party indeed generated a random isogeny from the previous curve E i−1 to a new curve E i+1 .Then it is sufficient for a single party to honestly discard their isogeny, for no path to be known by anyone from E 0 to E t .Then, E t is a Secuer for all practical purposes.
To make this protocol secure against active adversaries, an additional ingredient is needed.As it is, the last party could cheat as follows: instead of generating an isogeny E t−1 → E t , they could reboot the chain and generate an isogeny E 0 → E t .They could then compute the endomorphism ring of E t .If only the curves E i along the path are revealed, it is impossible to detect such misbehavior.To prevent this, each party needs to prove that they know their component of the walk: an isogeny E i−1 → E i (as first discussed in [8]).To this end, we develop a statistically zero-knowledge proof of isogeny knowledge.

Proof of isogeny knowledge
State-of-the-art.Protocols to prove knowledge of an isogeny have been mostly studied for signatures.The first such protocol is the SIDH-based proof of knowledge of [20].Its security proof was found to be flawed and then fixed, either by changing the assumptions [32] or by changing the protocol [18].However, these protocols are now fully broken by the recent polynomial time attacks on SIDH-like protocols [10,41,47].
CSIDH-based proofs of knowledge were first introduced in [19], and then improved in [5] for the parameter set CSIDH-512.These are limited to isogeny walks between curves defined over a prime field F p , and tend to be prohibitively slow outside of the specially prepared parameter set CSIDH-512.
Finally, De Feo and Burdges propose an efficient proof of knowledge tailored to finite fields used in delay protocols [8].However the soundness of this protocol is only conjectural, and, being based on pairing assumptions, is broken by quantum computers.
In summary, no general purpose, quantum-safe, zero-knowledge proof of knowledge of an isogeny walk between supersingular curves defined over F p 2 exists in previous literature.
Overview of our method.Our main technical contribution is a new proof of knowledge that ticks all the boxes above: it is compatible with any base field, any walk length, it has provable statistical zero-knowledge, and is practical-as illustrated by our implementation.The idea is the following.Two elliptic curves E 0 and E 1 being public, some party, the prover, wishes to convince the verifier that they know an isogeny ϕ : E 0 → E 1 (of degree, say, 2 m , large enough so it is guaranteed that such an isogeny exists).First, the prover secretly generates a random isogeny walk ψ : E 0 → E 2 of degree, say, 3 n .Defining ϕ ′ with kernel ψ(ker(ϕ)), and ψ ′ with kernel ϕ(ker(ψ)), one obtains the following commutative diagram: Now, the prover publishes a hiding and binding commitment to E 2 and E 3 .The verifier may now ask the prover to reveal one of the three isogenies ψ, ϕ ′ , or ψ ′ , by drawing a random chall ∈ {−1, 0, 1} (and open the commitment(s) corresponding to the relevant endpoints).For the prover to succeed with overwhelming probability, they must know all three answers, so they must know an isogeny from E 0 to E 1 : the composition ψ ′ • φ ′ • ψ : E 0 → E 1 .This is the idea behind the soundness of the protocol.
So far, this protocol is more or less folklore and superficially similar to [18, §5.3].But does it leak any information?Whereas previous protocols only achieved computational zero-knowledge, we provide a tweak that achieves statistical zero-knowledge: there is a simulator producing transcripts that are statistically indistinguishable from a valid run of the protocol.The simulator starts by choosing the challenge chall first, then it generates an isogeny that is statistically indistinguishable from either ψ, φ ′ , or ψ ′ , according to the value of chall.Simulating ψ (or ψ ′ ) is straightforward: generate a random isogeny walk ψ (or ψ′ ) of degree 3 n from E 0 (or from E 1 ).The isogeny ψ is a perfect simulation of ψ.Simulating ϕ ′ seems trickier.An obvious approach is to first generate a random E 2 (for instance, by simulating ψ : E 0 → E 2 ), then generate a random walk isogeny φ′ : E 2 → E 3 of degree 2 m .While this may seem too naive, we in fact prove that when deg(ψ) is large enough, the distribution of φ′ is statistically close to a honestly generated φ ′ .The key is a proof that the isogeny graph enriched with so-called level structure has rapid mixing properties.
Isogeny graphs with level structure The isogeny ϕ ′ is essentially characterised by its source, E 2 , and its kernel ker(ϕ ′ ), a (cyclic) subgroup of order deg(ϕ ′ ).We are thus interested in random variables of the form (E, C), where E is an elliptic curve, and C a cyclic subgroup of E, of order some integer d (not divisible by p).We call such a pair (E, C) a level d Borel structure.
The simulator proposed above essentially generates φ′ as a uniformly random level 2 m Borel structure (E, C) = (E 2 , ker( φ′ )).On the other hand, a honestly generated ϕ ′ corresponds to a pair (ψ(E 0 ), ψ(ker ϕ)), and ψ is a uniformly random isogeny walk of degree 3 n .This process corresponds to a random walk of length n in the 3-isogeny graph with level 2 m structure, with starting point (E 0 , ker ϕ).We prove the following result.As a consequence, we prove that random walks quickly converge to the stationary distribution, so φ′ and ϕ ′ are statistically indistinguishable.
Paper outline.We start in Section 2 with a few technical preliminaries on elliptic curves, isogenies, and proofs of knowledge.Section 3 is dedicated to the proof of Theorem 3.This section can be read independently from the rest.The reader only interested in applications, and willing to accept Theorem 3 (and its consequence on non-backtracking random walks, Theorem 11, page 11), can safely skip to the following section.This theoretical tool at hand, we then describe and analyse the new proof of isogeny knowledge in Section 4. We describe the protocol to generate a Secuer in Section 5, and prove its security.Finally, we report on our implementation in Section 6.

General Notations
We write x ← χ to represent that an element x is sampled at random from a set/distribution X .The output x of a deterministic algorithm A is denoted by x = A and the output x ′ of a randomized algorithm ) the set of integers lying between a and b, both inclusive (the set of integers lying between 1 and a, both inclusive).We refer to λ ∈ N as the security parameter, and denote by poly(λ), polylog(λ) and negl(λ) any generic (unspecified) polynomial, poly-logarithmic or negligible function in λ, respectively. 4For probability distributions X and Y, we write X ≈ Y if the statistical distance between X and Y is negligible.

Elliptic curves, isogenies and "SIDH squares"
We assume the reader has some familiarity with elliptic curves and isogenies.Throughout the text, p shall be a prime number, F p and F p 2 the finite fields with p and p 2 elements respectively.Unless specified otherwise, all elliptic curves will be supersingular and defined over F p 2 .We write E[d] for the subgroup of d-torsion points of E over the algebraic closure.
Unless specified otherwise, all isogenies shall be separable.If G is a finite subgroup of E, we write ϕ : E → E/G for the unique (up to post-composition with an isomorphism of E/G) separable isogeny with kernel G.If G is cyclic, we say the isogeny is cyclic.We denote by φ the dual isogeny to ϕ. Separable isogenies and their duals can be computed and/or evaluated in time poly(#G) using any of the algorithms in [51,4], however in some cases, e.g. when #G only contains small factors, this cost may be lowered to as little as polylog(#G).
Given separable isogenies ϕ : E 0 → E 1 and ψ : E 0 → E 2 of coprime degrees, we obtain the commutative diagram in (1) by defining ϕ ′ : E 2 → E 2 /ψ(ker(ϕ)) and ψ ′ : E 1 → E 1 /ϕ(ker(ψ)).Again, E 3 is only defined up to isomorphism.In categorical parlance, this is the pushout of ϕ and ψ, but cryptographers may know it better through its use in the SIDH key exchange.We refer to these commutative diagrams as SIDH squares or SIDH ladders (see Section 4.2 for more details).

Proofs of Knowledge
Our main technical contribution is a Σ-protocol to prove knowledge of an isogeny of given degree between two supersingular elliptic curves.Recall a Σ-protocol for an NP-language L is a public-coin three-move interactive proof system consisting of two parties: a verifier and a prover.The prover is given a witness w for an element x ∈ L, his goal is to convince the verifier that he knows w.
Definition 4 (Σ-protocol).A Σ-protocol Π Σ for a family of relations {R} λ parameterized by security parameter λ consists of PPT algorithms (P 1 , P 2 , V) where V is deterministic and we assume P 1 , P 2 share states.The protocol proceeds as follows: 1.The prover, on input (x, w) ∈ R, returns a commitment com ← P 1 (x, w) which is sent to the verifier.2. The verifier flips λ coins and sends the result to the prover.3.Call chall the message received from the verifier, the prover runs resp ← P 2 (chall) and returns resp to the verifier.4. The verifier runs V (x, com, chall, resp) and outputs a bit.
A transcript (com, chall, resp) is said to be valid, or accepting, if V (x, com, chall, resp) outputs 1.The main requirements of a Σ-protocol are: Correctness: If the prover knows (x, w) ∈ R and behaves honestly, then the verifier outputs 1.
n n n-special soundness: There exists a polynomial-time extraction algorithm that, given a statement x and n valid transcripts (com, chall 1 , resp 1 ), . . ., (com, chall n , resp n ) where chall i ̸ = chall j for all 1 ≤ i < j ≤ n, outputs a witness w such that (x, w) ∈ R with probability at least 1 − ε for soundness error ε.
A special sound Σ-protocol for R is also called a Proof of Knowledge (PoK) for R. Our Σ-protocol will have the peculiar property that the relation used to prove correctness turns out to be a subset of the one used to prove soundness.This will require extra care when proving security in Section 5.
Special Honest Verifier Zero-knowledge (SHVZK): There exists a polynomial-time simulator that, given a statement x and a challenge chall, outputs a valid transcript (com, chall, resp) that is indistinguishable from a real transcript.Definition 5. A Σ-protocol (P 1 , P 2 , V) is computationally special honest verifier zero-knowledge if there exists a probabilistic polynomial time simulator Sim such that for all probabilistic polynomial time stateful adversaries A If the adversary is unbounded, the protocol is said to be statistically SHVZK.

Non-Interactive Zero-Knowledge Proofs
In this paper, we consider non-interactive zero-knowledge (NIZK) proofs in the random oracle model that satisfy correctness, computational extractability and statistical zero-knowledge.Definition 6. (NIZK proofs.)Let R be a relation and let the language L be a set of statements {st ∈ {0, 1} n } such that for each statement st ∈ L, there exists a corresponding witness wit such that (st, wit) ∈ R. A non-interactive zero-knowledge (NIZK) proof system for R is a tuple of probabilistic polynomial-time (PPT) algorithms NIZK = (P NIZK , V NIZK ) defined as follows (we assume that all algorithms in the description below have access to a common random oracle; we omit specifying it explicitly for ease of exposition): -P NIZK (st, wit): A PPT algorithm that, given a statement st ∈ {0, 1} n and a witness wit such that (st, wit) ∈ R, outputs a proof Π. -V NIZK (st, Π): A deterministic algorithm that, given a statement st ∈ {0, 1} n and a proof Π, either outputs 1 (accept) or 0 (reject).
Computational Extractability.There exists an efficient PPT extractor Ext NIZK such that for any security parameter λ ∈ N and for any polynomially bounded cheating prover P * where: (i) Ext NIZK has rewinding access to P * , and (ii) P NIZK , Ext NIZK and P * all have access to a common random oracle, letting (st, Π) Statistical Zero Knowledge.There exists an efficient PPT simulator Sim NIZK such that for any security parameter λ ∈ N and for any non-uniform unbounded "cheating" verifier V * = (V * 1 , V * 2 ) where P NIZK , V * 1 and V * 2 all have access to a common random oracle, and such that Sim NIZK is allowed programming access to the same random oracle, we have where (st, wit, ξ) ← V * 1 (1 λ ), Π ← P NIZK (st, wit), and Π ← Sim NIZK (st).

Isogeny graphs and expansion
Let p be a prime and d an integer not divisible by p.An elliptic curve with level d Borel structure is a pair (E, C), where E is an elliptic curve defined over a field of characteristic p and C is an order We say that two such pairs (E 1 , C 1 ) and (E 2 , C 2 ) are isomorphic if there exists an isomorphism ϕ : Let ℓ be a prime not dividing pd.The supersingular ℓ-isogeny graph with level representatives of the set of isomorphism classes of supersingular elliptic curves with a level d Borel structure defined over F p 2 .We note that each such class over F p 2 admits a model defined over F p 2 : Each isomorphism class of supersingular elliptic curves has a representative E such that #E(F p 2 ) = (p + 1) 2 and thus the p 2 -Frobenius acts as a scalar multiplication [−p], so the kernel of any ℓ-isogeny is Gal(F p 2 )-invariant.
Now, the set of edges from The number of edges is independent of the representative of the isomorphism classes.When d = 1, we recover the usual definition of the supersingular ℓ-isogeny graph.
This graph is directed.The out-degree of each vertex is ℓ + 1, however the in-degree is not always ℓ + 1, hence the adjacency matrix of the graph is not always symmetric., d, ℓ).On the complex vector the space C V , we introduce the Hermitian form Q((E i , C i ), (E j , C j )) = w i δ ij , where δ ij is the Kronecker symbol and

Generalities on the graph and its adjacency matrix
Denote by ∥ • ∥ Q the associated norm.We compare will compare ∥ • ∥ Q with the L 1 and L 2 norms on C V .The set Ω of probability distributions on V is the set of vectors with real positive entries and L 1 norm equal to 1. Consider also the vector E = n i=1 1 wi (E i , C i ), and s the probability distribution obtained normalizing E. The following result contains a number of general facts about the adjacency matrix of G, which will be used later on.
Theorem 7. 1.The adjacency matrix A of G is self-adjoint with respect to Q; in particular it is diagonalizable with real eigenvalues and eigenvectors; 2. The vector E is a left-eigenvector of eigenvalue ℓ + 1 of A; 3. The vector u with all entries equal to 1 is a right-eigenvector of A; in particular its orthogonal complement S with respect to the L 2 scalar product is preserved by right multiplication by A; , where, in the product, q runs over the prime divisors of d; Proof.First we show 1.Let L ij be the set of degree ℓ isogenies from Since ℓ is coprime with d, ℓC i is equal to C i , and the duality gives a bijection between L ij and L ji .The entry a ij of A is the cardinality of the quotient Dividing this equality by two we get w i a ji = w j a ij .The claim now follows from the definition of Q.
We now prove 2. We have To see part 3, observe that the out-degree of each vertex of G is ℓ + 1, hence the sum of the elements of the rows of A is ℓ + 1, so the claim.
We now prove 4. Let ⟨•, •⟩ be the Hermitian product on C V such that the basis Then, the Cauchy-Schwarz inequality gives and moreover we get the equality when ṽ = w/∥w∥ L 1 .We now compute We are going to show that, for H the group of upper triangular matrices Given this equation for granted, K can be computed by writing d = q q eq and checking that | GL 2 (Z/dZ)| = q (q 2eq − q 2eq−2 )(q 2eq − q 2eq−1 ) and |H| = q q eq (q eq − q eq−1 ) 2 .
Equation ( 2) is the equation of the orbits for a group action.Fix an elliptic curve E, let X be the set of order d cyclic subgroups of E [d].This set has a natural transitive action by Aut(E[d]) ∼ = GL 2 (Z/dZ), which gives a bijection X ↔ GL 2 (Z/dZ)/H, so the right hand side of Equation ( 2) is the cardinality of X. Level d Borel structures on E are the orbits of the action of Aut(E) on X.The left hand side of Equation ( 2) is again the cardinality of X, obtained summing the cardinalities of each orbit.
Finally we prove 5. Let π = n i=1 π i (E i , C i ) be a probability distribution and let λ = We conclude recalling that w i ≤ 3 for every i.Notice that for π = (E i , C i ) we get ∥π − s∥ 2 Q = w i − 1/λ, hence the above estimate is not too loose.

Proof of Theorem 3
We now prove that G = G(p, d, ℓ) has the Ramanujan property.This follows from the first three items of Theorem 7 combined with the following result, whose proof heavily relies on the theory modular forms.Theorem 8. Let S ⊂ C V be the subspace of vectors i v i (E i , C i ) such that i v i = 0, as in Theorem 7. The eigenvalues of the action of A on S are all contained in the Hasse interval To prove Theorem 8, we assume standard notations and results about quadratic forms and modular forms, such as the ones from [25,48,33].Given two elliptic curves with level structure (E i , C i ) and (E j , C j ), we denote by Λ ij the lattice of isogenies ϕ : The degree defines a quadratic form deg on Λ ij .This quadratic module has rank four, level dp and determinant d 2 p 2 .We can thus define the theta series This function is in M 2 (Γ 0 (dp)), the space of modular forms of weight two for the modular group Γ 0 (dp), by [33,Theorem 4.2] (observe that in loc.cit. the exponential is one because Q(h) is an integer; moreover, we choose P = 1) or [48, Chapter IX, Theorem 5, page 218].The above construction extends to an Hermitian pairing We call this pairing the Brandt pairing, even though there is a little ambiguity5 in this set-up.The Brandt pairing is non-degenerate: let v = c i (E i , C i ), then the coefficient of q of Θ(v, v) is the Hermitian norm of the vector of coefficients (. . ., c i , . . .).We will prove the following two key propositions.Proposition 9.The Brandt pairing intertwines the adjacancy matrix A of G and the Hecke operator Proposition 10.For every three elliptic curves with level structure The combination of these two results tells that the spectrum of the action of A restricted to S is contained into the spectrum of the action of the Hecke operator T ℓ on the space of cusp modular forms of weight two for Γ 0 (dp).The Ramanujan Conjecture, proved by Eichler, predicts that this second spectrum is contained in the Hasse interval, and hence proves Theorem 8.
We refer to [24, Theorem 8.2] for a proof of the Ramanujan Conjecture.In loc.cit.this result is proven only for eigenvectors of T ℓ which are new-forms.An eigenvector which is an old form will come from an embedding ι : S 2 (Γ 0 (m)) → S 2 (Γ 0 (dp)) with m that divides dp.Since ℓ is coprime with dp, the map ι is T ℓ -equivariant (cf.[25, proof of Proposition 5.6.2]),so we can still deduce our result from [24,Theorem 8.2].It is worth recalling that [24, Theorem 8.2] is way more general that what we need, as it applies to modular forms of every weight.

Proof of Proposition 9
We prove that both sides have the same q-expansions.For a power series On the other side, where C varies among the cyclic non-trivial subgroups of E i [ℓ] of cardinality ℓ, and π C is the projection and let F be the disjoint union of the above maps.The map F is surjective: and we can write α = f • π C .In particular, let us compute the cardinality of the fiber The quadratic module (Λ/c 0 Λ, deg) is (non-canonically) isomorphic to a Borel subalgebra of (End((Z/c 0 Z) ⊕2 ), det).An isomorphism can be obtained mapping it to Hom(E[c 0 ], E ′ [c 0 ]), and then choosing a symplectic basis.
If ϵ = 0 we are done, otherwise ϵ = 1.Since [Hom(E, E ′ ) : Λ] = d is prime to p, we have Λ/p = Hom(E, E ′ )/p = (Hom(E, E ′ ) ⊗ Z p )/p, and the quadratic Z p -module Hom(E, E ′ ) ⊗ Z p does not depend on the pair because, by the Deuring correspondence (see e.g.[52,Theorem 42.3.2.]), together with [52, Lemma 19.6.6], it is isomorphic to λO p with the reduced norm, where O p is the maximal order in the non-ramified quaternions over Q p , and λ is an element of norm prime to p.

Mixing time of non-backtracking walks
We finally analyze the behavior of random walks in G = G(p, d, ℓ), which we will ultimately use to prove statistical indistinguishability of distribution arising from our proof of knowledge.First, observe that Theorem 7 item 2 shows that the probability distribution s introduced in Subsection 3.1 is the stationary distribution on G.This is nearly the uniform distribution: all curves are equally likely, with the possible exception of the two curves with extra automorphisms, j = 1728 and j = 0, which are respectively twice and thrice less likely.
We are going to determine the speed at which random walks converge to the stationary distribution.We focus on non-backtracking walks, which are the most useful for cryptographic protocols, but, because the graph is directed, we need some care to define them.Edges of G are equivalence classes of isogenies, so we choose a representative for each class.For an edge α we define its dual edge as the chosen representative β for the class Aut(E, C)α, so that βα = uℓ for u ∈ Aut(E, C).Notice that the dual of β (as an edge) might be different from α, but this is not relevant for us.We say that a random walk on G is non-backtracking walk if an edge is never followed by its dual.
With this "duality", we have that isogenies of degree a power of ℓ and with cyclic kernel (up to the equivalence α ∼ β iff ker α = ker β) correspond to non-backtracking walks.
Theorem 11 (Mixing time).Let π be a probability distribution on G, and π (k) the distribution obtained after a non-backtracking random walk of length k.Then we have where K and M are as in Theorem 7.
Proof.Denote by A (k) the matrix whose (i, j) entry is the number of non-backtracking walks from i to j.Since each edge has a unique dual, we get the same recurrence formula as in the non-oriented case, namely 1) .
Observe that the sum of all the entries in a fixed row of A (k) is (ℓ + 1)ℓ k−1 .We denote by P (k) its normalization Hence, P (k) is a polynomial in A, see e.g.[2, Section 2].Let us call this polynomial µ k (x) (here, the use of the symbol µ i is slightly different from the one of [2]).The matrix P (k) is diagonalizable, it has the same eigenvectors as A, and has eigenvalues µ k (ℓ + 1) = 1 and µ k (λ i ), where λ i is any eigenvalue of A different from ℓ + 1.
Combining the proof of [2, Lemma 2.3] and Theorem 3, we get Now observe that π (k) = πP (k) , and hence π (k) − s = (π − s) P (k) .The difference of two probability distributions is orthogonal for the standard L 2 scalar product to the vector u from Theorem 7 item 3. Since E is not orthogonal to u, by Theorem 7 item 3 we conclude that π − s is in the linear span of the eigenvectors of A corresponding to eigenvalues different from ℓ + 1.Since A is self-adjoint with respect to Q, using Equation ( 6) we have The definition of K and M from Theorem 7 tells that We obtain the result recalling that the total variation distance between two probability distributions is half of the L 1 distance, see e.g.[39, Proposition 4.2].
Remark 12 (Improvement of Theorem 11 and Lemma 15).Under the assumption that the eigenvalues of the adjacency matrix of G are strictly contained in the Hasse interval (so there are no eigenvalues equal to ±2 √ ℓ), Theorem 11 can be improved: the linear factor (k + 1) can be replaced by a constant which does not depend on k.Indeed, as ±2 √ ℓ is not an eigenvalue, sin(θ) in Equation 5never vanishes.If we write | sin(θ)| ≥ ε for some ε > 0, we obtain which can be used in place of Equation 6. Observe that, even with this improvement, the bound will not be sharp, because in the bound of Equation 7we consider only the eigenvalues with greatest modulus, but the other eigenvalues of A have smaller modulus.This argument in turn improves Lemma 15, where the linear factor k can be replaced by a constant independent of k.

Proof of Knowledge
Our goal is to provide a PoK of an isogeny walk ϕ : E 0 → E 1 between two supersingular curves defined over F p 2 that can be seamlessly plugged in a distributed Secuer generation protocol.For this, we need the following properties: 1. Compatible with any pair of curves (E 0 , E 1 ); this rules out [30,31], which is restricted to a special starting curve E 0 , and [19] and derivatives, which are restricted to curves defined over F p . 2. Statistically ZK, so that the security of the final Secuer does not hinge on computational assumptions brought in by the PoK; this rules out all other isogeny based PoKs in the literature.3. Post-quantum secure, possibly relying on as few additional assumptions as possible; this rules out many generic ZK proof systems.4. Possibly compatible with any walk length and any base field F p 2 .5. Usable in practice for cryptographically sized finite fields.
The only attempt at using generic proof systems to prove knowledge of isogeny walks has been made in [14], and is based on a SNARG derived from a Sumcheck protocol carefully optimized for isogenies.However this work does not consider ZK, and does not evaluate the concrete efficiency of the SNARG.Even if it could be made efficient, adding post-quantum ZK would likely come at a considerable cost, thus we do not investigate this path further.
Our new PoK inherits from the SIDH-based Σ-protocol of De Feo, Jao and Plût [20], and from the recent developments of De Feo, Dobson, Galbraith and Zobernig [18].The common theme to all of them is to construct random SIDH squares on top of the secret isogeny ϕ : and to reveal some, but not all of the edges ψ, ψ ′ , ϕ ′ in response to a challenge.The reason these protocols are not statistically ZK is that the side ϕ ′ is strongly correlated to the parallel side ϕ (often unique given E 2 ) and can thus easily be distinguished by an unbounded adversary.
Our first idea is to make the walk ψ long enough that the distribution of (E 2 , ϕ ′ ) becomes statistically close to the uniform distribution on supersingular curves with isogenies of degree deg(ϕ).To prove it, we will use the properties of isogeny graphs with level structure analyzed in Section 3.
But making ψ longer is easier said than done.SIDH-based protocols are constrained in the lengths of ϕ and ψ by the form of the prime p: typically, p + 1 = 2 a 3 b and then deg(ϕ) = 2 a and deg(ψ) = 3 b .Our second idea is to glue several SIDH squares together to make longer walks (see Fig. 2).We call these larger diagrams SIDH ladders.
A valuable side-effect of gluing SIDH squares together is that we can free ourselves from the constraints on p.All we need is that isogenies of a small prime degree ℓ coprime to deg(ϕ) can be computed efficiently, then we stack vertically sufficiently many SIDH squares to make deg(ψ) = ℓ n as large as we need.In practice, we will take deg(ϕ) = 2 m , deg(ψ) = 3 n , and the protocol will be most efficient for SIDH primes, but in full generality our protocol works for any base field and any isogeny degree.

Protocol description and analysis
Let E 0 , E 1 be supersingular curves defined over a finite field F p 2 , and let ϕ : E 0 → E 1 be a cyclic separable isogeny of smooth degree d.Let ℓ be a small prime not dividing pd.Let C(m; r) be a statistically hiding and computationally binding commitment scheme.Our Σ-protocol is described in Fig. 1; it depends on a parameter n, controlling the length of the ℓ-isogeny walks, that we will determine in Definition 16.The prover consists of two stateful algorithms (P 1 , P 2 ): the former is randomized and produces a commitment (com 2 , com 3 ), the latter receives a ternary challenge chall ∈ {−1, 0, 1} and produces a deterministic response resp.The verifier is a deterministic algorithm that receives (com 2 , com 3 ), chall, resp and outputs a bit indicating whether or not the proof is accepted.
Assuming the commitment C is computationally binding, it is 3-special sound for the relation More precisely, there is a probabilistic polynomial time algorithm that, given three successful transcripts of the protocol with same commitments and distinct challenges, either recovers a witness χ : E 0 → E 1 , or opens one of the commitments C(E i ; r i ) to two distinct values (breaking the binding property).
Proof.Correctness.Suppose that the prover P = (P 1 , P 2 ) and the verifier V follow the protocol.First note that, since the degree d of ϕ is smooth, the SIDH ladder in P 1 can be constructed as described in Section 4.2.Then it is clear that the commitments open successfully, and the verifier accepts the transcript for any challenge.3-special soundness.Given three accepting transcripts (com, −1, resp −1 ), (com, 0, resp 0 ) and (com, 1, resp 1 ), recover (ϕ ′ , E 2 , r 2 , E 3 , r 3 ) = resp 0 where ϕ ′ : E 2 → E 3 is an isogeny.If the curves in resp −1 and resp 1 are not equal to E 2 and E 3 respectively, then we can open one of the commitments C(E 2 ; r 2 ) or C(E 3 ; r 3 ) to two distinct outputs.Otherwise, we have resp −1 = (ψ, E 2 , r 2 ) and resp 1 = (ψ ′ , E 3 , r 3 ) where ψ : Factoring out the non-cyclic part of χ ′ , we extract a cyclic isogeny χ : • χ for some 0 ≤ i ≤ n; however, like in the original SIDH PoK [18,32], we cannot guarantee that i = 0.
We are now going to define the simulator for proving ZK.Simulating chall = ±1 is easy, however how well we can simulate the case chall = 0 depends on the parameter n given to P 1 .The opening (E 2 , ϕ ′ : E 2 → E 3 ) can be equivalently viewed as the curve with level d Borel structure (E 2 , ker(ϕ ′ )).Our goal is to have this opening distributed like a "random" vertex in the graph G = G(p, d, ℓ).To this effect, we define two sequences D 1 (k) and D 2 (k) of probability distributions on G, and we show that they converge as k grows.Definition 14.Let ϕ : E 0 → E 1 be a cyclic separable isogeny of degree d.Define where C E (f ) is the uniform distribution on the cyclic subgroups of order f of E, up to Aut(E).
Lemma 15.Keep notations as above, fix a positive real number ε, and let k be a positive integer such that is the total variation distance between the two distributions, also known as statistical distance.
Proof.We bound the statistical distance of each of D 1 (k) and D 2 (k) from the stationary distribution of G(p, d, ℓ), as determined in Theorem 7, then we conclude with the triangle inequality.For D 1 (k), we can directly apply Theorem 11, but D 2 (k) needs more care.Let G 0 be the classical isogeny graph.This can be thought of as the graph with d = 1 Borel level structure.Let s 0 be the stationary distribution on G 0 .Consider the projection map P : G → G 0 which forgets the level structure.The push-forward distribution P * D 2 (k) is the distribution of the length k non-backtracking walks starting at E 0 , so we can bound its total variation distance from s 0 using Theorem 11.For any probability distribution π on G 0 let us denote π the distribution on G obtained by first choosing E with distribution π and then choosing C uniformly inside the set of cyclic subgroups of order d.Notice that for each two subgroups C, C ′ , the pair (E, C) defines the same vertex as (E, C ′ ) if and only if there exists an automorphism of E sending C to C ′ .This, together with the fact that the set of C's for a single E has cardinality where H is the subgroup of upper triangular matrices.The above formula, together with (2), implies that for every probability distribution π on G 0 and every subset A of G 0 , one has π(P −1 (A)) = π(A).In turn, this means that for π 1 , π 2 probability measures on G 0 , we have Proof.We simulate the honest prover for each of the three challenges as follows.

Executing the protocol
The protocol we just described crucially depends on the ability to construct a commutative square with sides of degrees d and ℓ n .The SIDH setting has p + 1 = d • ℓ n so that the square can be constructed by simply pushing a single kernel point for ψ through ϕ and vice versa.We refer to such a square as an SIDH square.For more general choices of ℓ n and d, the kernels are typically generated by points defined over very large extension fields, requiring superpolynomial space.We efficiently construct such "larger" squares by gluing together several SIDH squares in what we call SIDH ladders, as depicted in Fig. 2.
For simplicity, we shall present the case d = (2 a ) w and ℓ n = (3 b ) h , where 2 a and 3 b are the side lengths of an SIDH square, and w and h are positive integers defining the width and height of the ladders in units of SIDH squares.However, the technique generalizes easily to any coprime d and ℓ n , as long as isogenies of degrees d and ℓ can be efficiently computed.
First, notice that there always exist some choice of a and b such that points (and hence kernel subgroups) of orders 2 a and 3 b can be represented efficiently.This is clear if the prime p is a SIDH prime where 2 a 3 b | (p + 1), but for a generic prime p, one can set a = b = 1: Points of order 2 and 3 are defined over a small extension field and can thus be efficiently represented.Moreover, any isogeny of degree (3 b ) h is the composition of h isogenies of degree 3 b each, which can be stored as a sequence of h kernel generators which are efficiently representable.
If the width w of the ladder is one, the prover can now recursively push the kernel G of the isogeny ϕ = ϕ 0,1 through the isogenies ψ i,0 to obtain its image G i on each curve E i,0 .Each horizontal isogeny ϕ 0,i has kernel G i , and the prover can compute the kernel of the right-side vertical isogeny ψ ′ i,0 as the image of the kernel of ψ i,0 under the isogeny ϕ i−1,1 .Since each square composed of (E i,0 , E i+1,0 , E ′ i,0 , E ′ i+1,0 ) is a commutative diagram, so is the larger square (E 0 , E 1 , E 2 , E 3 ).In the general case where w > 1, the prover can use a similar approach for the horizontal isogeny ϕ as used for the vertical isogeny ψ: The isogeny ϕ can be written as the composition of w isogenies ϕ 0,w • . . .• ϕ 0,1 of degree 2 a and their kernels can be mapped through the vertical isogenies.In other words, the prover can glue horizontally w compatible ladders, one for each factor ϕ 0,i of ϕ.The right descending isogenies of each ladder are used as the left descending isogenies of the next one.This allows the prover to compute w × h SIDH squares in such a way that the curves (E 0 , E 1 , E 2 , E 3 ) and the isogenies between them form a commutative diagram.This is illustrated in Fig. 2. For the challenges chall = ±1, the prover reveals the isogenies ψ i,0 of the leftmost squares, or the isogenies ψ i,w of the rightmost squares.For the challenge chall = 0, the prover responds with the isogenies ϕ h,i of the bottom squares.
Verification consists of evaluating (depending on the challenge) either w or h isogenies of degree 2 a or 3 b , which can be done efficiently.Generating the proof is slower, as the prover needs to fill in all the w × h SIDH squares that make up the ladder.The proving complexity is thus quadratic in w and h, while the verification complexity is linear in w and h.However, the complexity of computing an SIDH square with degrees 2 a or 3 b is only quasilinear in a and b using sparse strategies [20]; thus, maximizing the size of SIDH squares improves performance, which explains why SIDH primes are the most efficient scenario for this proof.If the degree of the isogenies and the size of the underlying field are kept constant, in the SIDH setting we have that 2 a 3 b | (p + 1) for large values of a and b (in the order of several hundreds), and thus w and h can be small.For a generic prime, the prover might need to set a = b = 1 and work with large values of w and h, incurring a quadratic cost, besides possibly having to compute points over an extension field of degree bounded by a small constant.where each isogeny ϕ 0,i has degree d i , and constructs compatible ladders for each ϕ 0,i .

Distributed Secuer Setup and its Security
In this section, we formally describe the distributed Secuer setup protocol and prove its security under a security definition using the simplified universal composability (SUC) framework due to Canetti, Cohen, and Lindell [9] in the real/ideal world paradigm.Our security definitions consider a dishonest majority corruption model, wherein the adversary can corrupt up to t − 1 of the t participating parties in the distributed Secuer setup protocol.The protocol uses a non-interactive version of the Σ-protocol described in Section 4. We begin by formally describing this non-interactive zero-knowledge (NIZK) PoK protocol.

The NIZK protocol
We transform the Σ-protocol of Section 4 into a NIZK using the standard Fiat-Shamir heuristic [27] for transforming interactive PoK protocols into NIZK proofs, albeit with the difference that soundness and zero-knowledge hold for slightly different languages.
The NIZK construction.Let E 0 , E 1 be supersingular curves defined over a finite field F p 2 , let ϕ : E 0 → E 1 be a separable isogeny of smooth degree d and let C(m; r) be a statistically hiding and computationally binding commitment scheme.Additionally, let Σ = (P 1 , P 2 , V) be the interactive PoK protocol described in Section 4, let λ ∈ N be the security parameter, let ℓ be a small prime not dividing dp, let n = n(p, d, ℓ, λ), and let N = poly(λ) be a fixed polynomial.Finally, let H : {0, 1} * → {−1, 0, 1} N be a random oracle.The NIZK proof system consists of a pair of algorithms NIZK = (P NIZK , V NIZK ) as described in Fig. 3.The prover algorithm P NIZK is randomized and produces a proof Π.The verifier algorithm V NIZK is deterministic; it receives the proof Π and outputs a bit b ∈ {0, 1} indicating whether or not the proof is accepted.
Correctness, Extractability and ZK.Correctness follows immediately from the correctness of the underlying Σ-protocol.We state and prove the following propositions for extractability and ZK.
Proposition 19.Assuming that Σ = (P 1 , P 2 , V) satisfies 3-special soundness with respect to the relation R ⋆ (described in Proposition 13) and that H is a random oracle, the NIZK NIZK = (P NIZK , V NIZK ) satisfies extractability (and hence soundness) with respect to the relation R ⋆ .
Proof.We provide an informal proof overview.We begin by noting that Σ is a public-coin protocol, and that there exists a probabilistic polynomial-time algorithm that extracts a witness from 3 accepting transcripts corresponding to N parallel executions of Σ w.r.t. the same statement.Consequently, we can invoke the generalized forking lemma of [7] to argue the existence of a probabilistic polynomial-time witnessextraction algorithm for NIZK.This completes the proof of extractability (and hence, soundness) for NIZK.
P NIZK (E0, E1, ϕ, n, N ): V NIZK (E0, E1, Π, N ): Proof.We again provide an informal proof overview.Let Sim Σ be a ZK simulator that simulates an accepting transcript for the underlying Σ-protocol (as described in the proof of ZK for Σ).We construct a ZK simulator Sim NIZK that simulates an accepting proof as follows: 1. Sim NIZK simulates the random oracle H as follows: it maintains a local table consisting of tuples of the form (x, y) ∈ {0, 1} * × {−1, 0, 1} N .On receiving a query x ∈ {0, 1} * from the adversary A, it looks up this table to check if an entry of the from (x, y) exists.If yes, it responds with y.Otherwise, it responds with a uniformly sampled y ← {−1, 0, 1} N , and programs the random oracle as H(x) := y by adding the entry (x, y) to the table.2. For each i ∈ [N ], Sim NIZK internally invokes the simulator Sim Σ for the underlying Σ-protocol to obtain the i-th accepting transcript of the form 3. At this point, Sim NIZK aborts if the adversary A has already issued a random oracle query on the input x = (com 2,1 , com 3,1 ), . . ., (com 2,N , com 3,N ) . 4. Otherwise, Sim NIZK programs the random oracle as H (com 2,1 , com 3,1 ), . . ., (com 2,N , com 3,N ) := (chall 1 , . . ., chall N ), and outputs the simulated proof as We note that Sim NIZK runs in polynomial time as long as Sim Σ runs in polynomial time.Additionally, if Sim NIZK does not abort, it outputs a simulated proof that is distributed in a statistically indistinguishable manner from the distribution of a real proof, assuming that Sim Σ outputs a simulated accepting transcript with distribution statistically indistinguishable from a real accepting transcript for Σ.Finally, Sim NIZK aborts with only negligible probability, since the adversary A guesses ((com 2,i , com 3,i ), chall i , resp i ) for each i ∈ [n] with at most negligible probability.This completes the proof of statistical ZK for NIZK.

Our distributed Secuer setup protocol
We now move to the distributed Secuer setup protocol.Let P 1 , . . ., P t be a set of t participating parties and let E 0 be some fixed starting curve.In a nutshell, the idea is to have the parties act sequentially: each P i at its own turn performs a secret random walk E i−1 → E i and broadcasts E i and a NIZK PoK of the secret walk.We claim that, as long as one party is honest, the final curve E t is a Secuer.
To get any security guarantee, we need to carefully set the parameters of the random walk E i−1 → E i .The natural choice is to fix some small prime q, not dividing ℓp, and to take a random walk long enough that the distribution of E i is negligibly far from the stationary distribution on the q-isogeny graph G(p, 1, q).For example we may set q = 2 and ℓ = 3, then Theorem 11 provides a precise bound to set the length δ = n(p, 1, q, λ) of the q-walk as a function of the security parameter, and ultimately the parameter n(p, q δ , ℓ, λ) of the PoK.
Remark 21.For increased efficiency, we may choose to perform shorter q-walks E i−1 → E i of length log q (p).This length approximates the diameter of the supersingular q-isogeny graph; hence, it ensures that the secret isogeny can reach almost any curve in the graph.
Under mild assumptions, this choice would still yield a secure protocol, but it would also make the security proof somewhat more involved.For this reason, we shall stick here to the more conservative choice of walking long enough to ensure nearly stationary distribution of E i .
We formally describe the protocol (referred to as Γ Secuer henceforth).Assume that E 0 is known to all the parties at the start.Let NIZK = (P NIZK , V NIZK ) be the non-interactive proof as described above.The protocol Γ Secuer proceeds in t rounds while only using broadcast channels of communication, where round-i for each i ∈ [t] is as follows: -Party P i performs a q-isogeny walk starting at curve E i−1 and ending at curve E i (where E i−1 and E i are both supersingular curves defined over F p 2 ), such that party P i knows a separable isogeny ϕ i : E i−1 → E i of degree q δ , where δ = n(p, 1, q, λ).-Party P i generates Π i ← P NIZK (E i−1 , E i , ϕ i , n, N ), where n = n(p, q δ , ℓ, λ), and broadcasts to all other parties.-Each party P j for j ∈ [t] \ {i} verifies the NIZK proof Π i by computing b If b i = 0 (i.e., the proof is invalid), P j aborts.
At the end of round-t, all parties output E t to be the final output curve.
Correctness.Correctness of Γ Secuer follows immediately from the correctness guarantees of the NIZK.

Proof of security for Γ Secuer
We now present the proof of security for Γ Secuer using the simplified universal composability (SUC) framework [9] in the real/ideal world paradigm.We consider a dishonest majority corruption model, wherein the adversary can corrupt up to (t − 1) of the t participating parties.
The ideal functionality.Intuitively, the ideal functionality for distributed Secuer setup should simply take as input the initial curve E 0 and output a Secuer E t .It is however not obvious how to model the property of being a Secuer in the plain SUC model: a game based definition, stating that an adversary who can compute End(E t ) can be used to break some other assumption, appears to be more appropriate.Thus, we prove security in two steps.First, we prove that Γ Secuer securely emulates a less-than-ideal functionality F * Secuer (described in Fig. 4) that enforces that: (a) for each i ∈ [t], if a corrupt party P i outputs a curve E i , it must know a valid isogeny ϕ i : E i−1 → E i , and (b) for each i ∈ [t], if an honest party P i outputs a curve E i , then the corresponding isogeny ϕ i : E i−1 → E i is hidden from the adversary.This step relies on the extractability and ZK properties of the NIZK protocol described above.Next, we prove that, assuming the hardness of the endomorphism ring problem in the F * Secuer -hybrid model, the output curve E t is a Secuer, i.e. that the (malicious) adversary cannot compute End(E t ).
Theorem 22. Assuming that NIZK = (P NIZK , V NIZK ) satisfies extractability and zero-knowledge, and assuming the hardness of the endomorphism ring problem (Definition 1) and GRH, the output E t of the protocol Γ Secuer is a Secuer if at least one party P i * for some i * ∈ [t] is honest.

Secure emulation of F *
Secuer .We now prove that Γ Secuer securely emulates the less-than-ideal functionality F * Secuer .Our proof is in the real/ideal world paradigm defined formally as follows.
The real world.The following entities engage in the real protocol Γ Secuer : (i) a set H ⊆ [t] of honest parties, (ii) a real-world adversary A controlling a set C ⊂ [t] of corrupt parties, and (iii) the environment E that provides E 0 to each party, interacts with the real-world adversary A, receives the final output curve E t from the honest parties, and eventually outputs a bit b ∈ {0, 1}.
be the set of honest parties, and let Ci ⊆ [i − 1] be the set of corrupt parties among the first (i − 1) parties P1, . . ., P (i−1) .-For each j ∈ Hi, F * Secuer receives as input from Pj a tuple of the form (Ej, ϕj).-For each j ′ ∈ Ci, F * Secuer receives as input from the simulator Sim a tuple of the form (E j ′ , ϕ j ′ ).-If for any j ∈ [i − 1], ϕj is not an isogeny from the curve Ej−1 to the curve Ej, F * Secuer outputs ⊥ and aborts.
-Otherwise, F * Secuer takes a random walk starting from the (i − 1)-th curve Ei−1 and ending in a curve Ei such that F * Secuer knows ϕi : Ei−1 → Ei, where ϕi is a separable isogeny of degree d. -Finally, F * Secuer outputs (Ei, ϕi) to the party Pi, and outputs Ei to the simulator Sim and to all parties Pj for j ̸ = i.The ideal world.The following entities interact with the functionality F * Secuer : (i) A set H ⊆ [t] of honest parties, where for each i ∈ H, party P i directly forwards its secret isogeny to F * Secuer , (ii) an ideal-world simulator Sim that sends inputs to F * Secuer on behalf of a set C ⊂ [t] of corrupt parties, and (iii) the environment E that provides each party with the starting curve E 0 , interacts with the simulator Sim, receives the final output curve E t from the functionality, and eventually outputs a bit b ∈ {0, 1}.
For any t-party Secuer setup protocol Γ Secuer , any adversary A, any simulator Sim, and any environment E, we define the following random variables: real ΓSecuer,A,E : denotes the output of the environment E after interacting with the adversary A during a real-world execution of Γ Secuer .-ideal F * Secuer ,Sim,E : denotes the output of the environment E after interacting with the simulator Sim in the ideal world.Proof.We prove this theorem by constructing a PPT simulator Sim that simulates the view of the environment E in the ideal world.The simulator Sim receives E 0 from the environment E, internally runs the real-world adversary A and the NIZK simulator Sim NIZK , and proceeds in round-i for i ∈ [t] as described next.Note that we implicitly assume that Sim has rewinding access to the adversary A and programming access to the random oracle in the analysis below. Case and broadcasts (E i , Π i ) as the message corresponding to the honest party P i .Indistinguishability of views.We now prove that for the above construction of Sim, the view of E in the ideal world is indistinguishable from that in the real world.We prove this by a sequence of hybrids as described below (recall that H ⊆ [t] and C ⊂ [t] denote the set of honest and corrupt parties, respectively).
-Hybrid-0: In this hybrid, the distribution of messages broadcast by each party is identical to the real-world protocol γ Secuer .-Hybrid-1: In this hybrid, for each corrupt party P j such that j ∈ C, instead of verifying the NIZK proof Π j using V NIZK (as in the real protocol), extract the witness ϕ j using the the extraction algorithm of NIZK.If extraction fails, output ⊥. -Hybrid-2: In this hybrid, for each honest party P i such that i ∈ H, instead of generating the NIZK proof Π i ← P NIZK (E i−1 , E i , ϕ i , n, N ) (as in the real protocol), generate a simulated proof as ). -Hybrid-3: In this hybrid, the distribution of messages broadcast by each party is identical to the ideal-world messages broadcast by Sim.
Note that for E to distinguish between hybrid-0 and hybrid-1 with non-negligible probability, the adversary A must be able to produce with non-negligible probability a proof Π j corresponding to a corrupt party P j for j ∈ C such that V NIZK (E j−1 , E j , Π j , N ) = 1 but extraction fails.This immediately violates extractability of NIZK, thus completing the proof of the lemma.
Note that for E to distinguish between hybrid-1 and hybrid-2 with non-negligible probability, there must exist an honest party P i for i ∈ H and a distinguisher D such that Pr , where λ is the security parameter, and where Proof.Suppose that there exists an adversary A corrupting a dishonest majority of the parties that efficiently computes the endomorphism ring of E i with non-negligible probability.Also assume that A corrupts all of P 1 , . . ., P i−1 .We can use A to construct an algorithm B that solves the endomorphism ring problem.The algorithm B receives as input a uniformly random curve E * /F p 2 , internally runs the adversary A to emulate the outputs of the corrupt parties P 1 , . . ., P i−1 , and finally feeds A with E i := E * .The view of the adversary A is properly simulated by B, since E i output by F * Secuer and E * provisioned by B are statistically indistinguishable (here we use Theorem 11, which crucially follows from the honest party taking a q-walk of length n(p, 1, q, λ)).Finally, B uses A to recover the endomorphism ring of E * with non-negligible probability.This concludes the proof of Lemma 27.
We now prove Theorem 26.We break the proof into two cases: (i) when P t is honest, and (ii) when P t is corrupt.The proof for case (i) is immediate from Lemma 27.Hence, we focus on case (ii).Let H ⊆ [t] be the set of honest parties, and let i * = max ({i : P i ∈ H}).By Lemma 27, E i * must be a Secuer.Now, suppose that E t is not a Secuer, i.e., there exists an adversary A corrupting dishonest majority of the parties that efficiently computes the endomorphism ring of E t with non-negligible probability.Since all of P i * +1 , . . ., P t are corrupt, A knows a walk from E i * to E t in the ℓ-isogeny graph.However, since E t is not a Secuer, A can use the reduction [54] (assuming GRH) to recover End(E i * ), thereby violating Lemma 27.This completes the proof of Theorem 26.Finally, the proof of Theorem 22 follows immediately from the proofs of Theorem 23 and Theorem 26, which completes the proof of security for our distributed Secuer setup protocol Γ Secuer .

Implementation and Results
In this section, we report on our proof-of-concept implementation of our proof of knowledge (Section 4), including a discussion of proof sizes and running times.Moreover, we lay out concretely how one may deploy the trusted setup protocol from Section 5 in the real world.
Parameter selection.The base-field primes p in our proof-of-knowledge implementation are taken from the four SIKE parameter sets p434, p503, p610, and p751.As discussed in Section 4.2, our proof of knowledge achieves its optimal efficiency for SIDH-style primes.Moreover, those primes have been featured extensively in the literature, and thus appear to be the obvious choice to demonstrate our proof of knowledge.That said, we stress once more that our techniques are generic and can be applied in any choice of characteristic.We use the degree q = 2 for the random walks E i → E i−1 , and ℓ = 3 for the random walks of the Σ-protocol of Fig. 1.Like Section 5, we set δ = n(p, 1, 2, λ) for the length of the 2-walks, and n = n(p, 2 δ , 3, λ) for the 3-walks.Lastly, the Σ-protocol needs to be repeated several times to achieve a negligible soundness error.Since one repetition has soundness error 2/3, the protocol needs to be repeated −λ/log(2/3) times to achieve 2 −λ soundness error.We target the same security levels as the corresponding SIKE parameter sets, i.e., λ = 128 for p434 and p503, λ = 192 for p610, and λ = 256 for p751.The resulting conservative parameters are summarized in Table 1.
Implementation.We developed an optimized implementation6 of our proof of knowledge (Section 4.1) for the trusted-setup application (Section 5) based on version 3.5.1 of Microsoft's SIDH library 7 .Our implementation inherits and benefits from all lower-level optimizations contained in that library, and it supports a wide range of platforms with optimized code for a variety of Intel and ARM processors.Compiling our software produces two command-line tools prove and verify, which use a simple ASCIIbased interface to communicate the data contributed to the trusted setup and its associated proof of isogeny knowledge.
The implementation closely follows the strategy outlined in Section 4.2.This includes the choices d = (2 a ) w and ℓ n = (3 b ) h ; thus, both the witness and the commitment isogenies are uniformly random cyclic isogenies of degree d and ℓ n respectively.To reduce latency, we additionally exploit parallelism: Recall that the proof of knowledge is repeated many times to achieve a low soundness error; indeed most of the computations are independent between those repetitions and can thus easily be performed at the same time on a multi-core system.This is confirmed by experimental results, where our implementation is observed to parallelize almost perfectly when run on an eight-core processor.
Sampling purely random large-degree isogenies with code from SIDH comes with two caveats: First, the sampling of "small" squares must avoid backtracking between the individual squares being glued to ensure that the composition is cyclic in the end; in both cases this is done by keeping track of the kernel of the dual of the last prime-degree step of the previous square and avoiding points lying above this "forbidden" kernel when choosing the next square.Besides that, the specific isogeny formulas used in SIDH fail for the 2-torsion point (0, 0), which can be resolved by changing to a different Montgomery model each time this kernel point is encountered.For curves revealed in the proof, the choice of Montgomery model should be randomized to avoid leakage.Similarly, the kernel generators of the horizontal isogeny ϕ ′ also need to be randomized, as Lemma 15 only distinguishes cyclic subgroups and revealing specific generators may leak.Our software sacrifices some performance for simplicity, which aids auditability and hence helps increase trust in the results of a trusted-setup ceremony.Some unused optimizations: Two-isogenies are faster to compute than three-isogenies, and since the SIDH ladder is taller than wider, swapping the role of two-and three-isogenies in the trusted-setup application could somewhat improve the resulting performance.For simplicity, our implementation also only uses full SIDH squares, and thus all isogeny degrees are rounded up to the closest multiple of an SIDH square; shortening the sides of some of the squares can save time.We also did not apply all optimizations to reduce the proof size.This includes applying SIDH-style compression techniques [15] to the points contained in the proof, cutting their size approximately in half.Moreover, applying a slight bias when sampling the challenges chall i means smaller responses can appear more often, at the expense of requiring slightly more repetitions; we investigated this tradeoff and determined that the potential improvement is essentially void.submission failing to complete full chain verification before the tip curve is updated again increase.We can parallelize our verification of the multiple proofs to lower these chances, and do a quick validation abort if any proof or any checks of the validity of the chaining of curves fails.
The configuration for the continuous integration (CI) checks is maintained in a separate repository to prevent modification from protocol participants.Hosting the protocol on GitHub raises the bar to Sybil attacks, as it requires all participants to have a GitHub account with a verified email address.Using our tool requires generation of a GitHub personal access token to authenticate when generating the submission, which further complicates automation / collusion of adversarial participants.
The end result of the protocol is a public git repository whose final commit contains a series of curves and valid proofs of knowledge of isogenies between them, the last of which is the final Secuer, a curve with unknown endomorphism ring, in a parsable hex encoding.Anyone can pull down this artifact and verify the series of curves and proofs independently if they wish.

Conclusion
In this work, we analyzed a distributed Secuer generation protocol, and proposed a concrete instantiation with strong security guarantees based on a novel proof of isogeny knowledge.
In the upcoming months, to demonstrate the practical feasibility of our protocol, we intend to run a distributed Secuer generation ceremony using the technology outlined in Section 6.We believe that such a ceremony could easily scale to hundreds, or even thousands of participants.
Our new proof of knowledge is especially well-suited for SIDH-like base fields, but can be used reasonably well with fields F p 2 of any characteristic.However, some important applications require a Secuer defined over F p .Although our proof of knowledge also applies to this case, it does not hide the degree of the secret isogeny walks, making it extremely cumbersome and inefficient to generate Secuers over such fields.With the exception of CSI-FiSh [5], all proofs of isogeny knowledge developed for prime fields are rather inefficient [19], thus the distributed generation of a Secuer defined over F p is still an open problem in practice.
To show security of the proof of knowledge, we developed the theory of supersingular isogeny graphs with level structure, in particular proving that they possess the Ramanujan property.In this work we only focused on the so-called Borel level structure, however similar properties can be proven for more general level structures.In a follow-up work, we will develop the general theory of these graphs, prove bounds on their eigenvalues, and discuss consequences for isogeny-based cryptography.

Theorem 3 .
Let G = G(p, d, ℓ) the supersingular ℓ-isogeny graph with level d Borel structure.The adjacency matrix A of G is diagonalizable, with real eigenvalues, and has the Ramanujan property, i.e the integer ℓ + 1 is an eigenvalue of A of multiplicity one, while all the other eigenvalues are contained in the Hasse interval [ hence the proposition follows from (3) together with the above formula summed over α in the codomain.Proof of Proposition 10We have to show that, for any two pairs (E, C) and (E ′ , C ′ ) and any cusp of X 0 (dp), the residue r of Θ((E, C), (E ′ , C ′ ))dτ does not depend on (E, C) and (E ′ , C ′ ) at the cusp but only on p, d and the cusp.By the discussion in [25, Section 3.8, page 103] each cusp can be represented as ( a c ) with c dividing dp, and r is equal to a 0 (Θ((E, C), (E ′ , C ′ ))| M ) for M any matrix in SL 2 (Z) of the form ( a b c δ ).By [48, Chapter IX, Equation (21), page 213], we have r = 1 c 2 pd ν,λ∈Λ/cΛ e (a − 1) deg(λ) + deg(λ + ν) + (δ − 1) deg(ν) c where e(z) = e 2πiz , and Λ is the lattice of isogenies from (E, C) to (E ′ , C ′ ) which map C into C ′ .The above formula tells us that r only depends on M and on the quadratic form deg : Λ/cΛ → Z/cZ.Writing c = c 0 p ϵ with c 0 dividing N and ϵ = 0, 1 and using the Chinese remainder theorem we can split the quadratic form in two parts where cos(θ) = λ i /(2 √ ℓ).Recall that | sin(x + y)| ≤ | sin(x)| + | sin(y)|, hence | sin(mθ)| ≤ m| sin(θ)| and we can achieve the bound:

Fig. 1 :
Fig. 1: Interactive proof of knowledge of a cyclic isogeny ϕ : E 0 → E 1 of degree d.

Definition 16 .Proposition 17 .
One can then check by direct computation that s = s 0 .We conclude that d T V (D 2 (k), s) = d T V (P * D 2 (k), s 0 ), and the right hand side can be bound using Theorem 11.Given p, d, ℓ and m, define n(p, d, ℓ, m) = min k ∈ Z | τ (p, d, ℓ, k) ≤ 2 −m .Let λ be a security parameter and let n = n(p, d, ℓ, λ).The Σ-protocol of Fig. 1 is statistically SHVZK for the relation R d defined in Proposition 13, assuming the commitment C is statistically hiding.

Fig. 2 :
Fig. 2: An SIDH ladder.Remark 18. Above, we assumed that the degree of the witness ϕ was d = (2 a ) w .As mentioned before, this can be generalized to any witness ϕ of smooth degree d = d 1 . . .d w as far as the d i -torsion groups are accessible (ideally, one should have E 0[d i ] ⊆ E 0 (F p 2 )).In this case, one factors ϕ as ϕ = ϕ 0,w • . . .• ϕ 0,1 where each isogeny ϕ 0,i has degree d i , and constructs compatible ladders for each ϕ 0,i .

Fig. 3 :Proposition 20 .
Fig. 3: The NIZK.Proposition 20.Assuming that Σ = (P 1 , P 2 , V) is statistically SHVZK for the relation R d (described in Proposition 17) and that H is a random oracle, the NIZK NIZK = (P NIZK , V NIZK ) is statistically ZK for the relation R d .
-1: Party P i is corrupt.In this case, Sim internally runs the real-world adversary A to obtain the broadcast message (E i , Π i ) corresponding to the corrupt party P i .It then uses the extraction algorithm of NIZK to extract the corresponding witness ϕ i .If extraction fails, Sim outputs ⊥ and aborts.Otherwise, Sim stores (E i , Π i , ϕ i ) internally, and broadcasts (E i , Π i ) as the message corresponding to the corrupt party P i .Case-2: Party P i is honest.In this case, Sim invokes the ideal functionality to obtain E i .Concretely, let C i ⊆ [i − 1] be the set of corrupt parties among the first (i − 1) parties P 1 , ..., P (i−1) .Sim invokes the ideal functionalityF * Secuer (E 0 , i) with the set {(E j ′ , ϕ j ′ )} j ′ ∈[Ci].If F * Secuer outputs ⊥, Sim outputs ⊥ and aborts.Otherwise, Sim receives from F * Secuer the corresponding curve E i .At this point, it invokes the simulator Sim NIZK of the NIZK protocol to obtain a simulated proof as Π This immediately violates the ZK property of NIZK, thus completing the proof of the lemma.Finally, hybrid-2 and hybrid-3 are identical by inspection, thus completing the proof of Theorem 23.Analyzing E t in F * Secuer -hybrid model.Based on the above secure emulation guarantee, we now analyze the output E t of Γ Secuer in the F * Secuer -hybrid model.Concretely, we state and prove the following theorem.Assuming the hardness of the endomorphism ring problem and GRH, the output E t of F * Secuer (E 0 , t) is a Secuer if at least one party is honest.To prove this theorem, we first prove the following lemma.Lemma 27.Assuming the hardness of the endomorphism ring problem, the output E i of F * Secuer (E 0 , i) for i ∈ [t] is a Secuer whenever P i is honest.

Table 1 :
Parameters and corresponding secret/proof size for each of the four SIKE finite fields.

Table 2 :
Benchmarks for isogeny walk generation, proving, and verification for each of the four SIKE finite fields.