A seminar session for young isogenists.
Sarah Arpin - Orientations and Isogeny Graphs
January 31st, 17:00 (CET).
To study supersingular isogeny graphs, one may add to the elliptic curves the information of an orientation, or a particular embedding of an imaginary quadratic field into the endomorphism ring of the curve. Recent cryptographic protocols (Séta, OSIDH) have made use of orientations to define new hard problems on supersingular isogeny graphs. The mathematics of orientations have been studied for a long time, but the algorithmic implications are just now being understood.
As part of a recent Women in Numbers 5 (WIN5) collaboration, my collaborators and I use orientations towards two different goals: 1. path-finding algorithms in the supersingular ℓ-isogeny graph and 2. understanding and counting cycles in the supersingular ℓ-isogeny graph. In this talk, we will first introduce the theory of orientations and discuss the relevant hard problems. We will go on to describe the path-finding algorithms and the theory behind cycle-counting which stem from adding orientations to supersingular elliptic curves.
- Talk 2, February 14th, 17:00 (CET).
- Talk 3, February 28th, 17:00 (CET).
- Talk 4, March 14th, 17:00 (CET).
- Talk 5, March 28th, 17:00 (CEST).
- Talk 6, April 11th, 17:00 (CEST).
Thomas Decru - Breaking SIKE
September 13th, 17:00 (CEST).
Thomas paints a somewhat broader picture of the genus-2 isogeny setting to showcase how Wouter Castryck and Thomas found all the pieces of the puzzle to break SIKE.
Bruno Sterner - git commit -m “isogenies”
University of Surrey
September 27th, 17:00 (CEST).
Supersingular isogeny graphs possess many properties that make it an interesting object to study mathematically as well as attempt to apply for cryptographic purposes. In this talk, Bruno will present one of these properties and showcase how it can be applied to construct a commitment scheme. This commitment scheme has strong security properties and doesn’t require random oracles.
Maria Corte-Real Santos - [superlative]Solver: Attacking the General Isogeny Problem
University College London
October 11th, 17:00 (CEST).
The general supersingular isogeny problem is the foundational hardness assumption underpinning isogeny-based cryptography. Its conjectured classical and quantum hardness has cemented isogenies as a promising tool for building post-quantum secure protocols.
In this talk, we will look at the general isogeny problem in low dimensions. More specifically, we consider the hardness of finding an isogeny between two given supersingular elliptic curves or two superspecial abelian surfaces defined over 𝔽p2. Viewing these as path finding problems in a related isogeny graph, we introduce a general framework for solving these problems and present the state-of-the-art attacks against them. We will also discuss a strategy for improving their concrete complexity, based on joint work with Craig Costello, Sam Frengley and Jia Shi.
Antonin Leroux - A new algorithm for the effective Deuring correspondence: making SQISign faster
October 25th, 17:00 (CEST).
The quantum computer is a threat to cryptography as it can solve the problems upon which relies the security of a lot of protocols. Isogeny-based cryptography is a family of protocols relying on the hardness of finding an isogeny between two supersingular elliptic curves, a problem assumed hard even for a quantum computer. In this talk, we focus on the connection between isogeny-based cryptography and quaternion algebras called the Deuring correspondence.
We will start with a generic overview of the applications of the Deuring correspondence to isogeny-based cryptography, before presenting a new algorithm to compute and realize the Deuring correspondence. In particular, this can be applied to speed-up the SQISign signature scheme.
Tako Boris Fouotsa - Torsion point images in SIDH: from savior to killer
November 8th, 17:00 (CET).
The first isogeny-based key exchange is the CRS (Couveignes - Rostovtsev - Stolbunov) scheme, which uses ordinary isogenies. The CRS scheme is relatively slow and is subject to a sub-exponential quantum attack. This motivated Jao and De Feo to suggest SIDH, which uses supersingular isogenies that, as opposed to ordinary isogenies, do not commute. To solve this commutativity issue, Jao and De Feo publish images of torsion points through the secret isogeny. SIDH was then faster and was not vulnerable to sub-exponential quantum attacks.
Today, the picture has changed considerably. The torsion point images have been used to design both adaptive and passive attacks on SIDH. Recently, we reached the "point de non retour": they were used to design a polynomial classical attack on SIDH.
In this talk, we will tell the story of the torsion point images in SIDH. We will go through their role in the design of SIDH, and in the design of both adaptive and passive attacks on SIDH.
Sabrina Kunzweiler - Genus 2 Isogenies
Ruhr University Bochum
November 22nd, 17:00 (CET).
Elliptic curves are abelian varieties of dimension one. It is only natural to consider generalizations of isogeny-based cryptographic protocols to higher dimensions. Apart from mathematical curiosity, the recent attacks on SIDH have shown that it is essential to study such generalizations in order to understand the security of elliptic curve based protocols.
This talk gives an introduction to Jacobians of genus-2 curves (abelian varieties of dimension 2) and isogenies in this setting. The focus lies on the computation of Richelot isogenies.
Marc Houben - Horizontal racewalking using radical isogenies
December 13th, 17:00 (CET).
Radical isogeny formulae are equations that can be used to efficiently compute long chains of isogenies of small degree. Basically, they express the coefficients of the next curve in a chain of N-isogenies explicitly in terms of some expression involving the N-th root of a quantity depending on the Weierstrass coefficients of the input curve. One can prove that such an expression always exists, but finding it is a nontrivial task. We present a new method for finding radical isogeny formulae that extends the range for which we know them from N ≤ 13 to N ≤ 37.
We rewrite the existing and new formulae to optimize for fast evaluation. For even N, we present a conjecture that determines which N-th root must be taken in order to stay on the surface of the CSIDH isogeny graph, and we prove this conjecture for N ≤ 14. The combination of the above results in a speed up of a factor 3 for long chains of 2-isogenies over 512 bit prime fields, and we gain 12% over the previous implementation of CSIDH with radical isogenies.
Reach Jonathan and Krijn
via firstname.lastname@example.org to join!
Overview of discussion available at askcryp.to.