Paper 2023/1448
The supersingular endomorphism ring problem given one endomorphism
Abstract
Given a supersingular elliptic curve $E$ and a non-scalar endomorphism $\alpha$ of $E$, we prove that the endomorphism ring of $E$ can be computed in classical time about $\text{disc}(\mathbb{Z}[\alpha])^{1/4}$ , and in quantum subexponential time, assuming the generalised Riemann hypothesis. Previous results either had higher complexities, or relied on heuristic assumptions. Along the way, we prove that the Primitivisation problem can be solved in polynomial time (a problem previously believed to be hard), and we prove that the action of smooth ideals on oriented elliptic curves can be computed in polynomial time (previous results of this form required the ideal to be powersmooth, i.e., not divisible by any large prime power). Following the attacks on SIDH, isogenies in high dimension are a central ingredient of our results.
Metadata
- Available format(s)
-
PDF
- Category
- Public-key cryptography
- Publication info
- A minor revision of an IACR publication in CIC 2025
- Keywords
- Isogeny-based cryptographyEndomorphism ringSupersingular elliptic curveOrientationClass groupCryptanalysis
- Contact author(s)
-
arthur herledan_le_merdy @ ens-lyon fr
benjamin wesolowski @ ens-lyon fr - History
- 2025-07-03: last of 2 revisions
- 2023-09-22: received
- See all versions
- Short URL
- https://ia.cr/2023/1448
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2023/1448,
author = {Arthur Herlédan Le Merdy and Benjamin Wesolowski},
title = {The supersingular endomorphism ring problem given one endomorphism},
howpublished = {Cryptology {ePrint} Archive, Paper 2023/1448},
year = {2023},
url = {https://eprint.iacr.org/2023/1448}
}
