-
On the computation of endomorphism rings of abelian surfaces over finite fields
Authors:
Samuele Anni,
Gaetan Bisson,
Annamaria Iezzi,
Elisa Lorenzo García,
Benjamin Wesolowski
Abstract:
We study endomorphism rings of principally polarized abelian surfaces over finite fields from a computational viewpoint with a focus on exhaustiveness. In particular, we address the cases of non-ordinary and non-simple varieties. For each possible surface type, we survey known results and, whenever possible, provide improvements and missing results.
We study endomorphism rings of principally polarized abelian surfaces over finite fields from a computational viewpoint with a focus on exhaustiveness. In particular, we address the cases of non-ordinary and non-simple varieties. For each possible surface type, we survey known results and, whenever possible, provide improvements and missing results.
△ Less
Submitted 11 March, 2025;
originally announced March 2025.
-
The supersingular endomorphism ring problem given one endomorphism
Authors:
Arthur Herlédan Le Merdy,
Benjamin Wesolowski
Abstract:
Given a supersingular elliptic curve E and a non-scalar endomorphism $α$ of E, we prove that the endomorphism ring of E can be computed in classical time about disc(Z[$α$])^1/4 , and in quantum subexponential time, assuming the generalised Riemann hypothesis. Previous results either had higher complexities, or relied on heuristic assumptions. Along the way, we prove that the Primitivisation proble…
▽ More
Given a supersingular elliptic curve E and a non-scalar endomorphism $α$ of E, we prove that the endomorphism ring of E can be computed in classical time about disc(Z[$α$])^1/4 , and in quantum subexponential time, assuming the generalised Riemann hypothesis. Previous results either had higher complexities, or relied on heuristic assumptions. Along the way, we prove that the Primitivisation problem can be solved in polynomial time (a problem previously believed to be hard), and we prove that the action of smooth ideals on oriented elliptic curves can be computed in polynomial time (previous results of this form required the ideal to be powersmooth, i.e., not divisible by any large prime power). Following the attacks on SIDH, isogenies in high dimension are a central ingredient of our results.
△ Less
Submitted 24 February, 2025; v1 submitted 21 September, 2023;
originally announced September 2023.
-
The supersingular Endomorphism Ring and One Endomorphism problems are equivalent
Authors:
Aurel Page,
Benjamin Wesolowski
Abstract:
The supersingular Endomorphism Ring problem is the following: given a supersingular elliptic curve, compute all of its endomorphisms. The presumed hardness of this problem is foundational for isogeny-based cryptography. The One Endomorphism problem only asks to find a single non-scalar endomorphism. We prove that these two problems are equivalent, under probabilistic polynomial time reductions. We…
▽ More
The supersingular Endomorphism Ring problem is the following: given a supersingular elliptic curve, compute all of its endomorphisms. The presumed hardness of this problem is foundational for isogeny-based cryptography. The One Endomorphism problem only asks to find a single non-scalar endomorphism. We prove that these two problems are equivalent, under probabilistic polynomial time reductions. We prove a number of consequences. First, assuming the hardness of the endomorphism ring problem, the Charles--Goren--Lauter hash function is collision resistant, and the SQIsign identification protocol is sound. Second, the endomorphism ring problem is equivalent to the problem of computing arbitrary isogenies between supersingular elliptic curves, a result previously known only for isogenies of smooth degree. Third, there exists an unconditional probabilistic algorithm to solve the endomorphism ring problem in time O~(sqrt(p)), a result that previously required to assume the generalized Riemann hypothesis. To prove our main result, we introduce a flexible framework for the study of isogeny graphs with additional information. We prove a general and easy-to-use rapid mixing theorem. The proof of this result goes via an augmented Deuring correspondence and the Jacquet-Langlands correspondence.
△ Less
Submitted 16 October, 2023; v1 submitted 19 September, 2023;
originally announced September 2023.
-
Finding Orientations of Supersingular Elliptic Curves and Quaternion Orders
Authors:
Sarah Arpin,
James Clements,
Pierrick Dartois,
Jonathan Komada Eriksen,
Péter Kutas,
Benjamin Wesolowski
Abstract:
Orientations of supersingular elliptic curves encode the information of an endomorphism of the curve. Computing the full endomorphism ring is a known hard problem, so one might consider how hard it is to find one such orientation. We prove that access to an oracle which tells if an elliptic curve is $\mathfrak{O}$-orientable for a fixed imaginary quadratic order $\mathfrak{O}$ provides non-trivial…
▽ More
Orientations of supersingular elliptic curves encode the information of an endomorphism of the curve. Computing the full endomorphism ring is a known hard problem, so one might consider how hard it is to find one such orientation. We prove that access to an oracle which tells if an elliptic curve is $\mathfrak{O}$-orientable for a fixed imaginary quadratic order $\mathfrak{O}$ provides non-trivial information towards computing an endomorphism corresponding to the $\mathfrak{O}$-orientation. We provide explicit algorithms and in-depth complexity analysis.
We also consider the question in terms of quaternion algebras. We provide algorithms which compute an embedding of a fixed imaginary quadratic order into a maximal order of the quaternion algebra ramified at $p$ and $\infty$. We provide code implementations in Sagemath which is efficient for finding embeddings of imaginary quadratic orders of discriminants up to $O(p)$, even for cryptographically sized $p$.
△ Less
Submitted 22 August, 2023;
originally announced August 2023.
-
On the decisional Diffie-Hellman problem for class group actions on oriented elliptic curves
Authors:
Wouter Castryck,
Marc Houben,
Frederik Vercauteren,
Benjamin Wesolowski
Abstract:
We show how the Weil pairing can be used to evaluate the assigned characters of an imaginary quadratic order $\mathcal{O}$ in an unknown ideal class $[\mathfrak{a}] \in \mathrm{Cl}(\mathcal{O})$ that connects two given $\mathcal{O}$-oriented elliptic curves $(E, ι)$ and $(E', ι') = [\mathfrak{a}](E, ι)$. When specialized to ordinary elliptic curves over finite fields, our method is conceptually si…
▽ More
We show how the Weil pairing can be used to evaluate the assigned characters of an imaginary quadratic order $\mathcal{O}$ in an unknown ideal class $[\mathfrak{a}] \in \mathrm{Cl}(\mathcal{O})$ that connects two given $\mathcal{O}$-oriented elliptic curves $(E, ι)$ and $(E', ι') = [\mathfrak{a}](E, ι)$. When specialized to ordinary elliptic curves over finite fields, our method is conceptually simpler and often somewhat faster than a recent approach due to Castryck, Sotáková and Vercauteren, who rely on the Tate pairing instead. The main implication of our work is that it breaks the decisional Diffie-Hellman problem for practically all oriented elliptic curves that are acted upon by an even-order class group. It can also be used to better handle the worst cases in Wesolowski's recent reduction from the vectorization problem for oriented elliptic curves to the endomorphism ring problem, leading to a method that always works in sub-exponential time.
△ Less
Submitted 3 October, 2022;
originally announced October 2022.
-
The supersingular isogeny path and endomorphism ring problems are equivalent
Authors:
Benjamin Wesolowski
Abstract:
We prove that the path-finding problem in $\ell$-isogeny graphs and the endomorphism ring problem for supersingular elliptic curves are equivalent under reductions of polynomial expected time, assuming the generalised Riemann hypothesis. The presumed hardness of these problems is foundational for isogeny-based cryptography. As an essential tool, we develop a rigorous algorithm for the quaternion a…
▽ More
We prove that the path-finding problem in $\ell$-isogeny graphs and the endomorphism ring problem for supersingular elliptic curves are equivalent under reductions of polynomial expected time, assuming the generalised Riemann hypothesis. The presumed hardness of these problems is foundational for isogeny-based cryptography. As an essential tool, we develop a rigorous algorithm for the quaternion analog of the path-finding problem, building upon the heuristic method of Kohel, Lauter, Petit and Tignol. This problem, and its (previously heuristic) resolution, are both a powerful cryptanalytic tool and a building-block for cryptosystems.
△ Less
Submitted 2 November, 2021;
originally announced November 2021.
-
Computation of a 30750-Bit Binary Field Discrete Logarithm
Authors:
Robert Granger,
Thorsten Kleinjung,
Arjen K. Lenstra,
Benjamin Wesolowski,
Jens Zumbrägel
Abstract:
This paper reports on the computation of a discrete logarithm in the finite field $\mathbb F_{2^{30750}}$, breaking by a large margin the previous record, which was set in January 2014 by a computation in $\mathbb F_{2^{9234}}$. The present computation made essential use of the elimination step of the quasi-polynomial algorithm due to Granger, Kleinjung and Zumbrägel, and is the first large-scale…
▽ More
This paper reports on the computation of a discrete logarithm in the finite field $\mathbb F_{2^{30750}}$, breaking by a large margin the previous record, which was set in January 2014 by a computation in $\mathbb F_{2^{9234}}$. The present computation made essential use of the elimination step of the quasi-polynomial algorithm due to Granger, Kleinjung and Zumbrägel, and is the first large-scale experiment to truly test and successfully demonstrate its potential when applied recursively, which is when it leads to the stated complexity. It required the equivalent of about 2900 core years on a single core of an Intel Xeon Ivy Bridge processor running at 2.6 GHz, which is comparable to the approximately 3100 core years expended for the discrete logarithm record for prime fields, set in a field of bit-length 795, and demonstrates just how much easier the problem is for this level of computational effort. In order to make the computation feasible we introduced several innovative techniques for the elimination of small degree irreducible elements, which meant that we avoided performing any costly Gröbner basis computations, in contrast to all previous records since early 2013. While such computations are crucial to the $L(\frac 1 4 + o(1))$ complexity algorithms, they were simply too slow for our purposes. Finally, this computation should serve as a serious deterrent to cryptographers who are still proposing to rely on the discrete logarithm security of such finite fields in applications, despite the existence of two quasi-polynomial algorithms and the prospect of even faster algorithms being developed.
△ Less
Submitted 6 August, 2020;
originally announced August 2020.
-
Discrete logarithms in quasi-polynomial time in finite fields of fixed characteristic
Authors:
Thorsten Kleinjung,
Benjamin Wesolowski
Abstract:
We prove that the discrete logarithm problem can be solved in quasi-polynomial expected time in the multiplicative group of finite fields of fixed characteristic. More generally, we prove that it can be solved in the field of cardinality $p^n$ in expected time $(pn)^{2\log_2(n) + O(1)}$.
We prove that the discrete logarithm problem can be solved in quasi-polynomial expected time in the multiplicative group of finite fields of fixed characteristic. More generally, we prove that it can be solved in the field of cardinality $p^n$ in expected time $(pn)^{2\log_2(n) + O(1)}$.
△ Less
Submitted 18 November, 2019; v1 submitted 25 June, 2019;
originally announced June 2019.
-
Generating subgroups of ray class groups with small prime ideals
Authors:
Benjamin Wesolowski
Abstract:
Explicit bounds are given on the norms of prime ideals generating arbitrary subgroups of ray class groups of number fields, assuming the Extended Riemann Hypothesis. These are the first explicit bounds for this problem, and are significantly better than previously known asymptotic bounds. Applied to the integers, they express that any subgroup of index $i$ of the multiplicative group of integers m…
▽ More
Explicit bounds are given on the norms of prime ideals generating arbitrary subgroups of ray class groups of number fields, assuming the Extended Riemann Hypothesis. These are the first explicit bounds for this problem, and are significantly better than previously known asymptotic bounds. Applied to the integers, they express that any subgroup of index $i$ of the multiplicative group of integers modulo $m$ is generated by prime numbers smaller than $16(i\log m)^2$, subject to the Riemann Hypothesis. Two particular consequences relate to mathematical cryptology. Applied to cyclotomic fields, they provide explicit bounds on generators of the relative class group, needed in some previous work on the shortest vector problem on ideal lattices. Applied to Jacobians of hyperelliptic curves, they allow one to derive bounds on the degrees of isogenies required to make their horizontal isogeny graphs connected. Such isogeny graphs are used to study the discrete logarithm problem on said Jacobians.
△ Less
Submitted 4 July, 2018;
originally announced July 2018.
-
A new perspective on the powers of two descent for discrete logarithms in finite fields
Authors:
Thorsten Kleinjung,
Benjamin Wesolowski
Abstract:
A new proof is given for the correctness of the powers of two descent method for computing discrete logarithms. The result is slightly stronger than the original work, but more importantly we provide a unified geometric argument, eliminating the need to analyse all possible subgroups of $\mathrm{PGL}_2(\mathbb F_q)$. Our approach sheds new light on the role of $\mathrm{PGL}_2$, in the hope to even…
▽ More
A new proof is given for the correctness of the powers of two descent method for computing discrete logarithms. The result is slightly stronger than the original work, but more importantly we provide a unified geometric argument, eliminating the need to analyse all possible subgroups of $\mathrm{PGL}_2(\mathbb F_q)$. Our approach sheds new light on the role of $\mathrm{PGL}_2$, in the hope to eventually lead to a complete proof that discrete logarithms can be computed in quasi-polynomial time in finite fields of fixed characteristic.
△ Less
Submitted 4 July, 2018; v1 submitted 30 April, 2018;
originally announced May 2018.
-
Isogeny graphs of ordinary abelian varieties
Authors:
Ernest Hunter Brooks,
Dimitar Jetchev,
Benjamin Wesolowski
Abstract:
Fix a prime number $\ell$. Graphs of isogenies of degree a power of $\ell$ are well-understood for elliptic curves, but not for higher-dimensional abelian varieties. We study the case of absolutely simple ordinary abelian varieties over a finite field. We analyse graphs of so-called $\mathfrak l$-isogenies, resolving that they are (almost) volcanoes in any dimension. Specializing to the case of pr…
▽ More
Fix a prime number $\ell$. Graphs of isogenies of degree a power of $\ell$ are well-understood for elliptic curves, but not for higher-dimensional abelian varieties. We study the case of absolutely simple ordinary abelian varieties over a finite field. We analyse graphs of so-called $\mathfrak l$-isogenies, resolving that they are (almost) volcanoes in any dimension. Specializing to the case of principally polarizable abelian surfaces, we then exploit this structure to describe graphs of a particular class of isogenies known as $(\ell, \ell)$-isogenies: those whose kernels are maximal isotropic subgroups of the $\ell$-torsion for the Weil pairing. We use these two results to write an algorithm giving a path of computable isogenies from an arbitrary absolutely simple ordinary abelian surface towards one with maximal endomorphism ring, which has immediate consequences for the CM-method in genus 2, for computing explicit isogenies, and for the random self-reducibility of the discrete logarithm problem in genus 2 cryptography.
△ Less
Submitted 30 September, 2016;
originally announced September 2016.
-
Horizontal isogeny graphs of ordinary abelian varieties and the discrete logarithm problem
Authors:
Dimitar Jetchev,
Benjamin Wesolowski
Abstract:
Fix an ordinary abelian variety defined over a finite field. The ideal class group of its endomorphism ring acts freely on the set of isogenous varieties with same endomorphism ring, by complex multiplication. Any subgroup of the class group, and generating set thereof, induces an isogeny graph on the orbit of the variety for this subgroup. We compute (under the Generalized Riemann Hypothesis) som…
▽ More
Fix an ordinary abelian variety defined over a finite field. The ideal class group of its endomorphism ring acts freely on the set of isogenous varieties with same endomorphism ring, by complex multiplication. Any subgroup of the class group, and generating set thereof, induces an isogeny graph on the orbit of the variety for this subgroup. We compute (under the Generalized Riemann Hypothesis) some bounds on the norms of prime ideals generating it, such that the associated graph has good expansion properties.
We use these graphs, together with a recent algorithm of Dudeanu, Jetchev and Robert for computing explicit isogenies in genus 2, to prove random self-reducibility of the discrete logarithm problem within the subclasses of principally polarizable ordinary abelian surfaces with fixed endomorphism ring. In addition, we remove the heuristics in the complexity analysis of an algorithm of Galbraith for explicitly computing isogenies between two elliptic curves in the same isogeny class, and extend it to a more general setting including genus 2.
△ Less
Submitted 25 January, 2017; v1 submitted 1 June, 2015;
originally announced June 2015.
-
Infinitesimal generators of q-Meixner processes
Authors:
Wlodek Bryc abd Jacek Wesolowski
Abstract:
We show that the weak infinitesimal generator of a class of Markov processes acts on bounded continuous functions with bounded continuous second derivative as a singular integral with respect to the orthogonality measure of the explicit family of polynomials.
We show that the weak infinitesimal generator of a class of Markov processes acts on bounded continuous functions with bounded continuous second derivative as a singular integral with respect to the orthogonality measure of the explicit family of polynomials.
△ Less
Submitted 13 September, 2013;
originally announced September 2013.
