TY - GEN
T1 - Efficient Theta-Based Algorithms for Computing (ℓ,ℓ)-Isogenies on Kummer Surfaces for Arbitrary Odd ℓ
AU - Yoshizumi, Ryo
AU - Onuki, Hiroshi
AU - Ohashi, Ryo
AU - Kudo, Momonari
AU - Nuida, Koji
N1 - Publisher Copyright:
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2025.
PY - 2025
Y1 - 2025
N2 - Isogeny-based cryptography is one of the candidates for post-quantum cryptography. Recently, several isogeny-based cryptosystems using isogenies between Kummer surfaces were proposed. Most of those cryptosystems use (2, 2)-isogenies. However, to enhance the possibility of cryptosystems, higher degree isogenies, i.e., (ℓ,ℓ)-isogenies for an odd ℓ, are also crucial. For an odd ℓ, Lubicz–Robert proposed a formula to compute (ℓ)g-isogenies in general dimensions g. In this paper, we propose explicit and efficient algorithms to compute (ℓ,ℓ)-isogenies between Kummer surfaces, based on the Lubicz–Robert formula. In particular, we propose two algorithms for computing the codomain of the isogeny and two algorithms for evaluating the image of a point under the isogeny. Then, we count the number of arithmetic operations required for each proposed algorithm and determine the most efficient algorithm in terms of the number of operations for each algorithm for each ℓ. As an application, we implemented the SIDH attack on B-SIDH in SageMath using the most efficient algorithm. In a setting that originally claimed 128-bit security, our implementation was able to recover the secret key in approximately 11 h.
AB - Isogeny-based cryptography is one of the candidates for post-quantum cryptography. Recently, several isogeny-based cryptosystems using isogenies between Kummer surfaces were proposed. Most of those cryptosystems use (2, 2)-isogenies. However, to enhance the possibility of cryptosystems, higher degree isogenies, i.e., (ℓ,ℓ)-isogenies for an odd ℓ, are also crucial. For an odd ℓ, Lubicz–Robert proposed a formula to compute (ℓ)g-isogenies in general dimensions g. In this paper, we propose explicit and efficient algorithms to compute (ℓ,ℓ)-isogenies between Kummer surfaces, based on the Lubicz–Robert formula. In particular, we propose two algorithms for computing the codomain of the isogeny and two algorithms for evaluating the image of a point under the isogeny. Then, we count the number of arithmetic operations required for each proposed algorithm and determine the most efficient algorithm in terms of the number of operations for each algorithm for each ℓ. As an application, we implemented the SIDH attack on B-SIDH in SageMath using the most efficient algorithm. In a setting that originally claimed 128-bit security, our implementation was able to recover the secret key in approximately 11 h.
KW - B-SIDH
KW - Isogeny-based cryptography
KW - Kummer surface
KW - Post-quantum cryptography
KW - Theta function
UR - https://www.scopus.com/pages/publications/105002153596
UR - https://www.scopus.com/pages/publications/105002153596#tab=citedBy
U2 - 10.1007/978-3-031-86602-9_1
DO - 10.1007/978-3-031-86602-9_1
M3 - Conference contribution
AN - SCOPUS:105002153596
SN - 9783031866012
T3 - Lecture Notes in Computer Science
SP - 3
EP - 37
BT - Post-Quantum Cryptography - 16th International Workshop, PQCrypto 2025, Proceedings
A2 - Niederhagen, Ruben
A2 - Saarinen, Markku-Juhani O.
PB - Springer Science and Business Media Deutschland GmbH
T2 - 16th International Workshop on Post-Quantum Cryptography, PQCrypto 2025
Y2 - 8 April 2025 through 10 April 2025
ER -