Constructing elliptic curve isogenies in quantum subexponential time (1012.4019v3)

Abstract: Given two elliptic curves over a finite field having the same cardinality and endomorphism ring, it is known that the curves admit an isogeny between them, but finding such an isogeny is believed to be computationally difficult. The fastest known classical algorithm takes exponential time, and prior to our work no faster quantum algorithm was known. Recently, public-key cryptosystems based on the presumed hardness of this problem have been proposed as candidates for post-quantum cryptography. In this paper, we give a subexponential-time quantum algorithm for constructing isogenies, assuming the Generalized Riemann Hypothesis (but with no other assumptions). Our algorithm is based on a reduction to a hidden shift problem, together with a new subexponential-time algorithm for evaluating isogenies from kernel ideals (under only GRH), and represents the first nontrivial application of Kuperberg's quantum algorithm for the hidden shift problem. This result suggests that isogeny-based cryptosystems may be uncompetitive with more mainstream quantum-resistant cryptosystems such as lattice-based cryptosystems.

• The paper presents a quantum reduction of isogeny construction to an injective hidden shift problem, enabling the use of Kuperberg’s algorithm.
• It develops a subexponential-time algorithm for evaluating isogenies under the Generalized Riemann Hypothesis using Cayley graph expansion properties.
• The work challenges the security assumptions of isogeny-based cryptosystems in post-quantum settings while exploring alternatives that require polynomial space.

Subexponential Quantum Algorithms for Elliptic Curve Isogeny Construction

The paper "Constructing elliptic curve isogenies in quantum subexponential time" by Childs, Jao, and Soukharev introduces a quantum algorithm that significantly impacts the domain of isogeny-based cryptography. This approach outlines a subexponential-time algorithm for constructing isogenies between elliptic curves, contingent upon the Generalized Riemann Hypothesis (GRH). This development has profound implications for the security of post-quantum cryptographic systems that rely on the hardness of this isogeny problem.

Core Contributions

The authors present two main contributions within the paper:

1. Reduction to a Hidden Shift Problem: A novel reduction of the isogeny construction problem to an injective hidden shift problem is proposed. The injective nature allows leveraging Kuperberg's quantum algorithm to solve the hidden shift problem efficiently in subexponential time, consequently making this the first nontrivial application of Kuperberg's approach outside of a black-box setting.
2. Subexponential-Time Algorithm for Isogeny Evaluation: The paper offers a complementary classical algorithm for evaluating isogenies in subexponential time with the assumption of GRH. This result is achieved by utilizing expansion properties from Cayley graphs, representing a step forward in efficiently computing the hiding functions necessary for the hidden shift reduction.

Theoretical and Practical Implications

The theoretical implications are considerably significant. The subexponential nature of their algorithm places isogeny-based cryptosystems in a precarious position regarding their viability in a quantum context. Since the security of such cryptosystems was believed to be grounded in the challenge of isogeny construction, this algorithm raises doubts about their competitiveness compared to lattice-based cryptosystems, which remain unchallenged at such security levels.

On a practical front, the need for superpolynomial space in Kuperberg’s algorithm poses challenges for real-world implementations with existing quantum hardware. Yet, the authors mitigate this with an alternate approach via Regev's algorithm that only requires polynomial space at the cost of increased computational time.

Results and Assumptions

Key results include the execution of the algorithm within a time complexity of $L(q^{1/2}, 1/2 + o(1))$ under GRH for ideal class computations, and the successful application of the hidden shift method to the isogeny computation problem. The reliance solely on the GRH, as opposed to additional heuristic assumptions required by previous works, strengthens the validity and reproducibility of these results.

Future Developments

The paper’s advancements pave the way for further exploration into quantum algorithms applied to isogeny-based cryptography. An evident avenue for future research involves optimizing the space complexity of the current approaches, potentially closing the gap between theoretical quantum capabilities and practical applicability. Additionally, investigations into other cryptographic protocols less susceptible to quantum attacks are warranted.

Overall, the work significantly contributes to the ongoing dialogue within quantum cryptography, especially in the context of transitioning to systems resilient against quantum adversaries. As quantum computational capabilities mature, these findings will likely influence the strategic direction of cryptographic protocol development and adoption.