The avenue of attack explored in this work is far from complete, and leaves much to be explored and understood. Broadly speaking, it is important to understand the potentials and limitations of exploiting the knowledge of the endomorphism ring of the starting elliptic curve together with the knowledge of the action of an isogeny on a torsion subgroup. A complete investigation of these elements is necessary to thoroughly understand the security of supersingular isogeny-based cryptosystems. Specifically, the major elements we leave for future work are:
• Find endomorphisms with a certain type of degree with a large percentage of eigenvectors, in the unbalanced/multi-party cases. This amounts to finding solutions tow2+Dx2+Dp(y2+z2) =Lkfor a large divisor Dof N
1and
large divisorL of N2
2. We have made a heuristic argument as to why we
believe such solutions exist when there are at least 4-parties, but have no concrete solutions.
• If such endomorphisms can be found, investigate the distribution of the eigenspaces.
• Investigate how this attack would work in the unbalanced case for computa- tionally feasible cases, where the primepis small enough to work.
• Determine, for a fixed primep, if there are certain particular starting elliptic curves that are more or less susceptible to our methods of attack. That is, what is the most appropriate choice of starting curve in a 2-party key exchange assuming we wish to have a fixed starting curve?
• Is there a more efficient reduction from SSDDH to finding solutions to our quadratic formQ. Perhaps combining these methods with other works, for example, that of Petit [17], could yield new cryptanalytic results.
• An in-depth comparison of sizes and performance between SIKE and SITH.
Acknowledgments. We thank Elena Bakos Lang, Edward Eaton, and Daniela
Maftuleac for their helpful suggestions.
References
1. Gora Adj, Daniel Cervantes-V´azquez, Jes´us-Javier Chi-Dom´ınguez, Alfred Menezes, and Francisco Rodr´ıguez-Henr´ıquez. On the Cost of Computing Isogenies Between Supersingular Elliptic Curves. In Carlos Cid and Michael J. Jacobson Jr., editors,
Selected Areas in Cryptography – SAC 2018, pages 322–343. Springer International Publishing, 2019.
2. Gorjan Alagic, Jacob Alperin-Sheriff, Daniel Apon, David Cooper, Quynh Dang, Carl Miller, Dustin Moody, Rene Peralta, Ray Perlner, Angela Robinson, Daniel Smith-Tone, and Yi-Kai Liu. NISTIR 8240 Status Report on the First Round of the NIST Post-Quantum Cryptography Standardization Process. Technical report, National Institute of Standards & Technology, January 2019. https://doi.org/ 10.6028/NIST.IR.8240.
3. Reza Azarderakhsh, Amir Jalali, David Jao, and Vladimir Soukharev. Practical Supersingular Isogeny Group Key Agreement. IACR Cryptology ePrint Archive, 2019:330, 2019.
4. Jean-Fran¸cois Biasse, David Jao, and Anirudh Sankar. A Quantum Algorithm for Computing Isogenies between Supersingular Elliptic Curves. In Willi Meier and Debdeep Mukhopadhyay, editors, Progress in Cryptology – INDOCRYPT 2014, Lecture Notes in Computer Science, pages 428–442. Springer International Publishing, 2014.
5. Denis X Charles, Kristin E Lauter, and Eyal Z Goren. Cryptographic hash functions from expander graphs. Journal of Cryptology, 22(1):93–113, 2009.
6. Lily Chen, Stephen Jordan, Yi-Kai Liu, Dustin Moody, Rene Peralta, Ray Perlner, and Daniel Smith-Tone. NISTIR 8105 Report on Post-Quantum Cryptography. Technical report, National Institute of Standards & Technology, April 2016. https: //doi.org/10.6028/NIST.IR.8105.
7. Andrew Childs, David Jao, and Vladimir Soukharev. Constructing elliptic curve isogenies in quantum subexponential time. Journal of Mathematical Cryptology, 8(1):1–29, 2014.
8. Giuseppe Cornacchia. Su di un metodo per la risoluzione in numeri interi delle- quazionePn
h=0Chxn−hyh=P. Giornale di Matematiche di Battaglini, 46:33–90, 1908.
9. Jean Marc Couveignes. Hard homogeneous spaces.IACR Cryptology ePrint Archive, 2006:291, 2006.
10. Kirsten Eisentr¨ager, Sean Hallgren, Kristin Lauter, Travis Morrison, and Christophe Petit. Supersingular Isogeny Graphs and Endomorphism Rings: Reductions and Solutions. In Jesper Buus Nielsen and Vincent Rijmen, editors, Advances in Cryptology – EUROCRYPT 2018, Lecture Notes in Computer Science, pages 329– 368. Springer International Publishing, 2018.
11. Steven D Galbraith, Christophe Petit, Barak Shani, and Yan Bo Ti. On the security of supersingular isogeny cryptosystems. InInternational Conference on the Theory and Application of Cryptology and Information Security, pages 63–91. Springer, 2016.
12. David Jao, Reza Azarderakhsh, Matthew Campagna, Craig Costello, Amir Jalali, Brian Koziel, Brian LaMacchia, Patrick Longa, Michael Naehrig, Joost Renes, et al. Supersingular isogeny key encapsulation november 30, 2017. NIST Round 1 Submissions for Post-Quantum Cryptography Standardization, 2017.
13. David Jao and Luca De Feo. Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. InInternational Workshop on Post-Quantum Cryptography, pages 19–34. Springer, 2011.
14. Samuel Jaques and John M. Schanck. Quantum Cryptanalysis in the RAM Model: Claw-Finding Attacks on SIKE. In Alexandra Boldyreva and Daniele Micciancio, editors, Advances in Cryptology – CRYPTO 2019, Lecture Notes in Computer Science, pages 32–61. Springer International Publishing, 2019.
15. Kiran S. Kedlaya and Christopher Umans. Fast polynomial factorization and modular composition. SIAM J. Comput., 40:1767–1802, 2008.
16. Daniel Kirkwood, Bradley C Lackey, John McVey, Mark Motley, Jerome A Solinas, and David Tuller. Failure is not an option: standardization issues for post-quantum key agreement. In Talk at NIST workshop on Cybersecurity in a Post-Quantum World: http://www. nist. gov/itl/csd/ct/post-quantum-crypto-workshop-2015. cfm,
volume 2, 2015.
17. Christophe Petit. Faster algorithms for isogeny problems using torsion point images. InAdvances in Cryptology – ASIACRYPT 2017, pages 330–353. Springer, 2017. 18. Arnold Pizer. Ramanujan graphs. AMS IP STUDIES IN ADVANCED MATHE-
MATICS, 7:159–178, 1998.
19. Stephen Pohlig and Martin Hellman. An improved algorithm for computing loga- rithms over gf (p) and its cryptographic significance (corresp.). IEEE Transactions on information Theory, 24(1):106–110, 1978.
20. Alexander Rostovtsev and Anton Stolbunov. Public-key cryptosystem based on isogenies. IACR Cryptology ePrint Archive, 2006:145, 2006.
21. Joseph H Silverman.The arithmetic of elliptic curves, volume 106. Springer Science & Business Media, 2009.
22. Anton Stolbunov. Constructing public-key cryptographic schemes based on class group action on a set of isogenous elliptic curves. Adv. in Math. of Comm., 4(2):215–235, 2010.
23. Andrew Sutherland. On the evaluation of modular polynomials. The Open Book Series, 1(1):531–555, Nov 2013.
24. Seiichiro Tani. Claw finding algorithms using quantum walk. Theoretical Computer Science - TCS, 410, 08 2007.
25. David Urbanik and David Jao. New techniques for SIDH-based NIKE. MathCrypt 2018, to be published in the Journal of Mathematical Cryptology, 2018.
26. David Urbanik and David Jao. SoK: The problem landscape of SIDH. InProceedings of the 5th ACM on ASIA Public-Key Cryptography Workshop, APKC ’18, pages 53–60, New York, NY, USA, 2018. ACM.
27. Jacques V´elu. Isog´enies entre courbes elliptiques.CR Acad. Sc. Paris., 273:238–241, 1971.
28. Andr´e Weil. Sur les fonctions alg´ebriquesa corps de constantes fini. CR Acad. Sci. Paris, 210(592-594):149, 1940.