Paper 2023/549

Weak instances of class group action based cryptography via self-pairings

Wouter Castryck, KU Leuven, Universiteit Gent
Marc Houben, KU Leuven, Leiden University
Simon-Philipp Merz, Royal Holloway University of London
Marzio Mula, University of Trento
Sam van Buuren, KU Leuven
Frederik Vercauteren, KU Leuven

In this paper we study non-trivial self-pairings with cyclic domains that are compatible with isogenies between elliptic curves oriented by an imaginary quadratic order $\mathcal{O}$. We prove that the order $m$ of such a self-pairing necessarily satisfies $m \mid \Delta_\mathcal{O}$ (and even $2m \mid \Delta_\mathcal{O} $ if $4 \mid \Delta_\mathcal{O}$ and $4m \mid \Delta_\mathcal{O}$ if $8 \mid \Delta_\mathcal{O}$) and is not a multiple of the field characteristic. Conversely, for each $m$ satisfying these necessary conditions, we construct a family of non-trivial cyclic self-pairings of order $m$ that are compatible with oriented isogenies, based on generalized Weil and Tate pairings. As an application, we identify weak instances of class group actions on elliptic curves assuming the degree of the secret isogeny is known. More in detail, we show that if $m^2 \mid \Delta_\mathcal{O}$ for some prime power $m$ then given two primitively $\mathcal{O}$-oriented elliptic curves $(E, \iota)$ and $(E',\iota') = [\mathfrak{a}] (E,\iota)$ connected by an unknown invertible ideal $\mathfrak{a} \subseteq \mathcal{O}$, we can recover $\mathfrak{a}$ essentially at the cost of a discrete logarithm computation in a group of order $m^2$, assuming the norm of $\mathfrak{a}$ is given and is smaller than $m^2$. We give concrete instances, involving ordinary elliptic curves over finite fields, where this turns into a polynomial time attack. Finally, we show that these self-pairings simplify known results on the decisional Diffie-Hellman problem for class group actions on oriented elliptic curves.

Note: Includes an appendix, omitted from the published version due to a page limit.

Available format(s)
Public-key cryptography
Publication info
A minor revision of an IACR publication in CRYPTO 2023
Isogeny based cryptographyclass group actionself-pairing
Contact author(s)
wouter castryck @ kuleuven be
marc houben @ kuleuven be
research @ simon-philipp com
marzio mula @ unitn it
sam vanbuuren @ kuleuven be
frederik vercauteren @ kuleuven be
2023-06-07: last of 2 revisions
2023-04-18: received
See all versions
Short URL
Creative Commons Attribution


      author = {Wouter Castryck and Marc Houben and Simon-Philipp Merz and Marzio Mula and Sam van Buuren and Frederik Vercauteren},
      title = {Weak instances of class group action based cryptography via self-pairings},
      howpublished = {Cryptology ePrint Archive, Paper 2023/549},
      year = {2023},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.