Paper 2023/1618

Improved algorithms for finding fixed-degree isogenies between supersingular elliptic curves

Benjamin Benčina, Royal Holloway University of London
Péter Kutas, Eötvös Loránd University, University of Birmingham
Simon-Philipp Merz, ETH Zurich
Christophe Petit, Université Libre de Bruxelles, University of Birmingham
Miha Stopar, Université Libre de Bruxelles, Ethereum Foundation
Charlotte Weitkämper, University of Birmingham, Eötvös Loránd University

Finding isogenies between supersingular elliptic curves is a natural algorithmic problem which is known to be equivalent to computing the curves' endomorphism rings. When the isogeny is additionally required to have a specific known degree $d$, the problem appears to be somewhat different in nature, yet its hardness is also required in isogeny-based cryptography. Let $E_1,E_2$ be supersingular elliptic curves over $\mathbb{F}_{p^2}$. We present improved classical and quantum algorithms that compute an isogeny of degree~$d$ between~$E_1$ and~$E_2$ if it exists. Let $d \approx p^{1/2+ \epsilon}$ for some $\epsilon>0$. Our essentially memory-free algorithms have better time complexity than meet-in-the-middle algorithms, which require exponential memory storage, in the range $1/2\leq\epsilon\leq 3/4$ on a classical computer. For quantum computers, we improve the time complexity in the range $0<\epsilon<5/2$. Our strategy is to compute the endomorphism rings of both curves, compute the reduced norm form associated to $\operatorname{Hom}(E_1,E_2)$ and try to represent the integer $d$ as a solution of this form. We present multiple approaches to solving this problem which combine guessing certain variables exhaustively (or use Grover's search in the quantum case) with methods for solving quadratic Diophantine equations such as Cornacchia's algorithm and multivariate variants of Coppersmith's method. For the different approaches, we provide implementations and experimental results. A solution to the norm form can be then be efficiently translated to recover the sought-after isogeny using well-known techniques. As a consequence of our results we show that a recently introduced signature scheme published at ACNS 2024 does not reach NIST level I security.

Note: Attack on ACNS paper added and some more graphics

Available format(s)
Public-key cryptography
Publication info
Isogeny-based cryptographyPost-quantum cryptographyPure isogeny problems
Contact author(s)
benjamin bencina @ gmail com
kutasp @ gmail com
research @ simon-philipp com
christophe petit @ ulb be
stopar miha @ gmail com
C Weitkaemper @ pgr bham ac uk
2024-03-01: last of 2 revisions
2023-10-18: received
See all versions
Short URL
Creative Commons Attribution


      author = {Benjamin Benčina and Péter Kutas and Simon-Philipp Merz and Christophe Petit and Miha Stopar and Charlotte Weitkämper},
      title = {Improved algorithms for finding fixed-degree isogenies between supersingular elliptic curves},
      howpublished = {Cryptology ePrint Archive, Paper 2023/1618},
      year = {2023},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.