TY - JOUR
T1 - Algebraic approaches for solving isogeny problems of prime power degrees
AU - Takahashi, Yasushi
AU - Kudo, Momonari
AU - Fukasaku, Ryoya
AU - Ikematsu, Yasuhiko
AU - Yasuda, Masaya
AU - Yokoyama, Kazuhiro
N1 - Funding Information:
This work was supported by JSPS KAKENHI Grant Numbers 18H05836, 19K21026, and 19K22847, Japan
Publisher Copyright:
© 2020 Y. Takahashi et al., published by De Gruyter.
PY - 2021/1/1
Y1 - 2021/1/1
N2 - Recently, supersingular isogeny cryptosystems have received attention as a candidate of post-quantum cryptography (PQC). Their security relies on the hardness of solving isogeny problems over supersingular elliptic curves. The meet-in-the-middle approach seems the most practical to solve isogeny problems with classical computers. In this paper, we propose two algebraic approaches for isogeny problems of prime power degrees. Our strategy is to reduce isogeny problems to a system of algebraic equations, and to solve it by Gröbner basis computation. The first one uses modular polynomials, and the second one uses kernel polynomials of isogenies. We report running times for solving isogeny problems of 3-power degrees on supersingular elliptic curves over p2 with 503-bit prime p, extracted from the NIST PQC candidate SIKE. Our experiments show that our firstapproach is faster than the meet-in-the-middle approach for isogeny degrees up to 310.
AB - Recently, supersingular isogeny cryptosystems have received attention as a candidate of post-quantum cryptography (PQC). Their security relies on the hardness of solving isogeny problems over supersingular elliptic curves. The meet-in-the-middle approach seems the most practical to solve isogeny problems with classical computers. In this paper, we propose two algebraic approaches for isogeny problems of prime power degrees. Our strategy is to reduce isogeny problems to a system of algebraic equations, and to solve it by Gröbner basis computation. The first one uses modular polynomials, and the second one uses kernel polynomials of isogenies. We report running times for solving isogeny problems of 3-power degrees on supersingular elliptic curves over p2 with 503-bit prime p, extracted from the NIST PQC candidate SIKE. Our experiments show that our firstapproach is faster than the meet-in-the-middle approach for isogeny degrees up to 310.
UR - http://www.scopus.com/inward/record.url?scp=85097141288&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85097141288&partnerID=8YFLogxK
U2 - 10.1515/jmc-2020-0072
DO - 10.1515/jmc-2020-0072
M3 - Article
AN - SCOPUS:85097141288
SN - 1862-2976
VL - 15
SP - 31
EP - 44
JO - Journal of Mathematical Cryptology
JF - Journal of Mathematical Cryptology
IS - 1
ER -