Seminar Sessions
A seminar session for young isogenists.
Season three
The schedule for Season three of The Isogeny Club is to be finalised. For now, the focus is on the
at Eurocrypt on April 22th, Lyon, France.
Previous talks
Season two

Sarah Arpin  Orientations and Isogeny Graphs
Leiden University
January 31st, 17:00 (CET).abstract
To study supersingular isogeny graphs, one may add to the elliptic curves the information of an orientation, or a particular embedding of an imaginary quadratic field into the endomorphism ring of the curve. Recent cryptographic protocols (Séta, OSIDH) have made use of orientations to define new hard problems on supersingular isogeny graphs. The mathematics of orientations have been studied for a long time, but the algorithmic implications are just now being understood.
As part of a recent Women in Numbers 5 (WIN5) collaboration, my collaborators and I use orientations towards two different goals: 1. pathfinding algorithms in the supersingular ℓisogeny graph and 2. understanding and counting cycles in the supersingular ℓisogeny graph. In this talk, we will first introduce the theory of orientations and discuss the relevant hard problems. We will go on to describe the pathfinding algorithms and the theory behind cyclecounting which stem from adding orientations to supersingular elliptic curves.

Andrea Basso  A PostQuantum Oblivious PRF from Isogenies
University of Bristol
February 14th, 17:00 (CET).abstract
An oblivious pseudorandom function, or OPRF, is an important primitive that is used to build many advanced cryptographic protocols. Despite its relevance, very few postquantum solutions exist.
In this talk, we present a novel OPRF protocol that is postquantum, verifiable, roundoptimal, and moderately compact. The protocol is based on a previous SIDHbased construction by Boneh et al., which was later shown to be insecure due to an attack on its onemore unpredictability. We propose an efficient countermeasure against this attack, and we demonstrate how to adapt the protocol to work with the countermeasures against the SIDH attacks. To achieve this, we also propose the first proof of isogeny knowledge that is compatible with masked torsion points, which may be of independent interest. We also design a novel noninteractive proof of knowledge of parallel isogenies, which reduces the number of communication rounds of the OPRF to the theoreticallyoptimal two. Putting everything together, we obtain the most compact postquantum verifiable OPRF protocol.

Jonathan Komada Eriksen  Deuring for the People!
NTNU
February 28th, 17:00 (CET).abstract
In Season one, talk four of the Isogeny Club, we saw a presentation on computing the Deuring correspondence. The efficiency of this computation depends a lot on the characteristic one is working over, and applications such as SQIsign, require primes p of a special form to do this computation. In this presentation, we look at computing the Deuring correspondence in general characteristic, i.e. without assuming any special form of the prime p being used. We start by recalling a "standard" algorithm for computing the Deuring correspondence, before discussing specific optimisations for the case of general characteristic.

Michael Meyer  SQISign primes: Fantastic p's and where to find them
University of Regensburg
March 14th, 17:00 (CET).
abstract
As discussed in the Isogeny Club talks by Antonin Leroux and Jonathan Komada Eriksen, SQISign requires a special prime characteristic in order to be efficient. In particular, we require a large factor of p^21 to be smooth. In this talk, we discuss the related problem of finding twin smooth integers via two different methods: the PTEsieve that uses solutions to the ProuhetTarryEscott problem, and an algorithm by ConreyHolmstromMcLaughlin. Although most of our results are not directly applicable to SQISign, we show how smaller twin smooths can be used to construct SQISignfriendly primes. Our approach is especially suitable for finding parameters for the NISTIII and NISTV security levels.

Pierrick Dartois  SQISignHD: signing with higher dimensional isogenies
INRIA Bordeaux
March 28th, 17:00 (CEST).
abstract
The SQISign isogenybased postquantum digital signature scheme introduced by De Feo, Kohel, Leroux, Petit and Wesolowski outputs very compact signatures at the expense of a high signature time. In this talk, we introduce a new scheme based on SQISign and the polynomial time torsion point attacks against SIDH due to Castryck, Decru, Maino, Martindale and Robert to sign with higher dimensional isogenies. This scheme remains to be implemented but we expect a significant signature time improvement, better security properties and signatures even more compact than in the original SQISign scheme.

Valerie Gilchrist  Evaluating rational isogenies with irrational kernel points
Université Libre de Bruxelles
April 11th, 17:00 (CEST).
abstract
An isogeny can be defined over a given field even when its kernel generators, which we need for efficient Vélu formulae, are only defined over some extension. How can we efficiently evaluate these isogenies? In this talk we will present some new algorithms for this and related problems.
Season one

Thomas Decru  Breaking SIKE
KU Leuven
September 13th, 17:00 (CEST).abstract
Thomas paints a somewhat broader picture of the genus2 isogeny setting to showcase how Wouter Castryck and Thomas found all the pieces of the puzzle to break SIKE.

Bruno Sterner  git commit m “isogenies”
University of Surrey
September 27th, 17:00 (CEST).abstract
Supersingular isogeny graphs possess many properties that make it an interesting object to study mathematically as well as attempt to apply for cryptographic purposes. In this talk, Bruno will present one of these properties and showcase how it can be applied to construct a commitment scheme. This commitment scheme has strong security properties and doesn’t require random oracles.

Maria CorteReal Santos  [superlative]Solver: Attacking the General Isogeny Problem
University College London
October 11th, 17:00 (CEST).abstract
The general supersingular isogeny problem is the foundational hardness assumption underpinning isogenybased cryptography. Its conjectured classical and quantum hardness has cemented isogenies as a promising tool for building postquantum secure protocols.
In this talk, we will look at the general isogeny problem in low dimensions. More specifically, we consider the hardness of finding an isogeny between two given supersingular elliptic curves or two superspecial abelian surfaces defined over 𝔽_{p2}. Viewing these as path finding problems in a related isogeny graph, we introduce a general framework for solving these problems and present the stateoftheart attacks against them. We will also discuss a strategy for improving their concrete complexity, based on joint work with Craig Costello, Sam Frengley and Jia Shi.

Antonin Leroux  A new algorithm for the effective Deuring correspondence: making SQISign
faster
DGA,
October 25th, 17:00 (CEST).abstract
The quantum computer is a threat to cryptography as it can solve the problems upon which relies the security of a lot of protocols. Isogenybased cryptography is a family of protocols relying on the hardness of finding an isogeny between two supersingular elliptic curves, a problem assumed hard even for a quantum computer. In this talk, we focus on the connection between isogenybased cryptography and quaternion algebras called the Deuring correspondence.
We will start with a generic overview of the applications of the Deuring correspondence to isogenybased cryptography, before presenting a new algorithm to compute and realize the Deuring correspondence. In particular, this can be applied to speedup the SQISign signature scheme.

Tako Boris Fouotsa  Torsion point images in SIDH: from savior to killer
EPFL,
November 8th, 17:00 (CET).abstract
The first isogenybased key exchange is the CRS (Couveignes  Rostovtsev  Stolbunov) scheme, which uses ordinary isogenies. The CRS scheme is relatively slow and is subject to a subexponential quantum attack. This motivated Jao and De Feo to suggest SIDH, which uses supersingular isogenies that, as opposed to ordinary isogenies, do not commute. To solve this commutativity issue, Jao and De Feo publish images of torsion points through the secret isogeny. SIDH was then faster and was not vulnerable to subexponential quantum attacks.
Today, the picture has changed considerably. The torsion point images have been used to design both adaptive and passive attacks on SIDH. Recently, we reached the "point de non retour": they were used to design a polynomial classical attack on SIDH.
In this talk, we will tell the story of the torsion point images in SIDH. We will go through their role in the design of SIDH, and in the design of both adaptive and passive attacks on SIDH.

Sabrina Kunzweiler  Genus 2 Isogenies
Ruhr University Bochum
November 22nd, 17:00 (CET).abstract
Elliptic curves are abelian varieties of dimension one. It is only natural to consider generalizations of isogenybased cryptographic protocols to higher dimensions. Apart from mathematical curiosity, the recent attacks on SIDH have shown that it is essential to study such generalizations in order to understand the security of elliptic curve based protocols.
This talk gives an introduction to Jacobians of genus2 curves (abelian varieties of dimension 2) and isogenies in this setting. The focus lies on the computation of Richelot isogenies.

Marc Houben  Horizontal racewalking using radical isogenies
Universiteit Leiden
December 13th, 17:00 (CET).
abstract
Radical isogeny formulae are equations that can be used to efficiently compute long chains of isogenies of small degree. Basically, they express the coefficients of the next curve in a chain of Nisogenies explicitly in terms of some expression involving the Nth root of a quantity depending on the Weierstrass coefficients of the input curve. One can prove that such an expression always exists, but finding it is a nontrivial task. We present a new method for finding radical isogeny formulae that extends the range for which we know them from N ≤ 13 to N ≤ 37.
We rewrite the existing and new formulae to optimize for fast evaluation. For even N, we present a conjecture that determines which Nth root must be taken in order to stay on the surface of the CSIDH isogeny graph, and we prove this conjecture for N ≤ 14. The combination of the above results in a speed up of a factor 3 for long chains of 2isogenies over 512 bit prime fields, and we gain 12% over the previous implementation of CSIDH with radical isogenies.
Personal page • Slides • Recording • Discussion
Reach Jonathan and Krijn
via isogenyclub@gmail.com to join!
Overview of discussion available at askcryp.to.
Researchseminars.org here.
Twitter here.
YouTube here.