Paper 2023/1448

The supersingular endomorphism ring problem given one endomorphism

Arthur Herlédan Le Merdy, ENS de Lyon, LIP, UMR 5668 (U. Lyon, ENS de Lyon, Inria, UCBL), France
Benjamin Wesolowski, ENS de Lyon, CNRS, UMPA, UMR 5669, Lyon, France
Abstract

Given a supersingular elliptic curve $E$ and a non-scalar endomorphism $\alpha$ of $E$, we prove that the endomorphism ring of $E$ can be computed in classical time about $\text{disc}(\mathbb{Z}[\alpha])^{1/4}$ , and in quantum subexponential time, assuming the generalised Riemann hypothesis. Previous results either had higher complexities, or relied on heuristic assumptions. Along the way, we prove that the Primitivisation problem can be solved in polynomial time (a problem previously believed to be hard), and we prove that the action of smooth ideals on oriented elliptic curves can be computed in polynomial time (previous results of this form required the ideal to be powersmooth, i.e., not divisible by any large prime power). Following the attacks on SIDH, isogenies in high dimension are a central ingredient of our results.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Preprint.
Keywords
Isogeny-based cryptographyEndomorphism ringSupersingular elliptic curveOrientationClass groupCryptanalysis
Contact author(s)
arthur herledan_le_merdy @ ens-lyon fr
benjamin wesolowski @ ens-lyon fr
History
2023-09-24: approved
2023-09-22: received
See all versions
Short URL
https://ia.cr/2023/1448
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2023/1448,
      author = {Arthur Herlédan Le Merdy and Benjamin Wesolowski},
      title = {The supersingular endomorphism ring problem given one endomorphism},
      howpublished = {Cryptology ePrint Archive, Paper 2023/1448},
      year = {2023},
      note = {\url{https://eprint.iacr.org/2023/1448}},
      url = {https://eprint.iacr.org/2023/1448}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.