 So thank you very much for the invitation and for being here, so apologies for giving a Blackboard talk, but yeah I hope it's fine. So I'm going to talk about the Isogeny Interpolation Problem, which is a problem that we isolated from work by me and Thomas de Creux, and then there was a follow-up work by Luciano Minow, Chloe Martindale, Lorenz Pani, Giacomo Pope, and Benjamin Wielowski, and then everything was kind of summarized by Damjaro Baer, and this is the starting point for this talk, so this is a paper from last year, solving a rather general instance of the Isogeny Interpolation Problem, and in this talk we will review his work and then give a more general solution to the Isogeny Interpolation Problem, and so let me start with following Lemma, which is the motivating Lemma, so every degree the Isogeny between two elliptic curves, E1 and E2, is uniquely determined, or let me maybe put consistency with later notation, by E and E prime, is uniquely determined by the images of any 4D plus one forms, and that's an easy Lemma to prove, so let me just quickly sketch the proof, so imagine you have two Isogenys of degree D, which agree on 4D plus one points, so the claim is that they are automatically the same, so imagine you have two such Isogeny that are not the same, so then we can consider the difference Isogeny, and we can say something about the degree of that difference Isogeny, namely the degree is always bigger than the number of elements in the kernel, but since both Isogenys are assumed to agree on 4D plus one points, this number of points in the kernel is at least 4D plus one, but then there's this pushy-schwarz type inequality for the degree of Isogenys, so the degree satisfies this inequality, which you may know from one of the proofs of the Hasseville bound, to apply to Frobenius minus the identity N1, so this is the inequality in general, and this will imply that the degree of pi1 minus pi2 is at most 4D, and so that's a contradiction, and so this proves this Lemma, okay, so whenever you have an Isogeny, you know the degree D, and you know how it acts, so you know the images of 4D plus one points, then you know that the Isogeny is uniquely determined, so a quick remark maybe, this bound is sharp, and the reason is that whenever you have an Isogeny phi, and then you can also consider minus phi, and so phi and minus phi, they agree on half, on the points that double to a point in the kernel of phi, so by this I mean the set of points, whose double is in the kernel of phi, on such points phi and minus phi take the same values, and the number of points here is 4D typically, so phi and minus phi will typically agree on 4D points, okay, in any case this Lemma naturally leads to what we call the Isogeny interpolation problem, so let me abbreviate it IIP, so let's state it as follows, we have the input to the problem, which are the elliptic curves E, E prime, so the domain and the co-domain, and as I said we assume here that we know the degree, often you can derive the degree from the other data, but not always, and then we also assume that we have points p1 up to pk, that generate a group, a group G, so it's a group of E, such that the number of elements in this group is bigger than 4D, because if you know how an Isogeny acts on a bunch of points, then of course you know how it acts on the group generated by those points, because Isogeny is a group homomorphism, so we can always talk about the group generated by these points, and then we have candidate image points, and we also have a challenge point s, and then the output should be, well either it should be phi of s, if there exists an Isogeny phi of degree d, such that phi of pi equals pi prime for all in this is i, or like the perp symbol, if no such phi exists, okay, so thanks to this lemma, this is a well defined problem, and so this is the problem that we are going to study in this talk, so is the statement clear for anyone? So the disadvantage of this white board app is that I have to erase everything whenever I switch to a new board, but I hope the statement is clear, so we have two elliptic curves, E, E prime, we have a bunch of points, a bunch of candidate image points, and then the hope is to evaluate the unique Isogeny interpolating these values at any given challenge point s, okay, so that's that, and so let's give some context for this, so context, a special case was solved in the context of breaking SIDH, so SIDH stands for Super Singular Isogeny Diffie-Hellman, and this is or was a key exchange protocol that was proposed by Jao and DeFeo in 2011, Jao, sorry, and DeFeo in 2011, and yeah, the hope was that this would be secure against attacks by quantum computers, and it was submitted to a competition that is still ongoing by NIST, the National Institute of Standards and Technology and American Government Organization, and there it reached the fourth round, which is like a parallel final round before it was broken, and so the version we are going to present or start from today, as I mentioned, is due to Robert, so the special case that I'm referring to here is due to Robert, and so he found an efficient solution, essentially, when there are some subtleties here with this conclusion, the group G is the N torsion subgroup for some integer N, co-prime to the field characteristic, and it should be smooth, and of course there's this bound that we already mentioned, the number of elements in that group, which is N squared in this case, should be bigger than 40, so in this case, this is what's solved, and it's worked by Robert, and so we continued, so yeah, this attack, as I mentioned, we partially co-discovered it with a bunch of people, and now we are teaming up to tackle the isogenic interpolation problem in greater generality, and if time permits, I can also mention something about the applications of this, but I will concentrate on the problem itself, mainly, so before stating our main theorem, let me make some assumptions, which will simplify this talk, so I will assume that all curves E, E prime, but also all these interpolation points, and also the challenge point S, are defined over a fixed finite field, so also this work by Robert is over finite fields, by the way, so I fix a finite field FQ, let's say P to the R, and I assume that all my input data is defined over that field, so it's useful to not assume this, I will mention something about that in a second, but here we will assume it, and then it's also easy to conclude that you can also assume that either you need cells, if it exists, is defined over FQ, so that's not really, that's not always automatic, but you can go to a degree 2 or at version degree 6 extension for this to be true, so you can also assume that pi is defined over FQ, okay, now if we assume this, then we can actually immediately reduce to the case K is at most 2, why is this, well any finite subgroup of an elliptic curve is of the form Z mod A times Z mod B, for some, yeah, no I will rewrite it as A times, so I wanted to say for some A that it is a divider of B, but I will immediately write it as A times B, okay, so I write my group as Z mod A times Z mod AB, so for some AB, and P is not a divider of A, okay, so by reorganizing this so that you are given the image points on generators of this group you can reduce to the case K at most 2, okay, so one might wonder why do we state this isogenic interpolation problem for general K, for K that are bigger than 2, so why allowing for K bigger than 2, and the statement of the isogenic interpolation problem, and so the reason is that, yeah, it also includes situations that occur really in practice, so this is to include situations, the PIs are actually not defined over FQ necessarily, but defined over small extensions of FQ with a huge composite, so it could be that P1 is a point of order, L1, P2 is a point of order L2, P3 is a point of order L3, and so on PK is a point of order LK, and so where the LIs are small primes, and then, yeah, these points live over small extensions of FQ, but the field compositing is of the product of those primes and can be huge, and so this is still like say small inputs to the problem, but if you want to represent it like this then the field would have to be huge, and so the input side would then explode, and so it's really useful to cover such cases, but I won't say too much about this in this talk, so let me maybe immediately state then the theorem that we proved, so theorem, there exists a deterministic algorithm for the isogenic interpolation problem, which works as soon as P does not divide B, so remember our group was of the form Z not A, and Z not AB, and P did not divide A anyway, so this condition is just equivalence to saying that P should not divide the order of the group, and which requires operations, a number of bit of operations that is polynomial the size of the field, and then that's to be expected of course, and then the degree of the defining field of AB1, AB2 torsion, so let me mention something about that, so B1 and B2 are as follows, so we will write B as a complete square times like a square free part, so B2 square free, okay, so we'll factor out all the squares of B, and we'll put them in B1, and so yeah in case you would put B1 squared here, then you would just have, yeah, let's say the exponent of this group, so the smallest field of the defining field of the points where all the torsion lives of this size, but we can do a little bit better, so this is a small improvement, and then also, and this is to be fundamental to the methods, the largest prime factor, the number of elements in G, in other words the largest prime factor of let's say AB, okay, so that's the theorem in this simplified setting, but never let me just remark that what we do, what we can prove in the general setting, so in general we can replace two with the following, so let's call it two prime maybe, namely instead of looking at the degree of the defining field, so by the degree of the defining field, I mean the smallest field extension where all the AB1, B2 torsion points live, right, so here we can take the largest degree, the largest among the degrees of the defining fields of, well, the points, the interpolation point, because now they are no longer assumed to be defined over the base field, so that's natural, and now, so this here becomes replaced with the L to the power P over two torsion, let's make it turn it into an integer, overall prime powers L to the D, dividing the order of the P, okay, so that's what we can do in general, so if you don't assume that everything is already defined over the base field, then you can, by working piecewise, over all prime powers, dividing the order of the group, you can stay in a rather small field extensions as long as this is smooth, right, because also here in this theorem the algorithm has a running time that is polynomial in the largest prime factor of the number of elements of G, so in order for this to be an efficient algorithm, the number of elements in this group has to be, the number of elements in this group has to be smooth, has to be, has to split into small prime factors, and that's really, as I said, fundamental to the method, so let's make a quick sub-remark here for super singular elliptic curves, and this is the most relevant case in cryptography, so remember that SIDH that for super singular, I start in the dv-helma, so for super singular elliptic curves the conditions, or the condition let's say P, not the divider of V, that's void, so there's no, this is automatic in that case, and also the dependency here on the, on this field of definitions, or the same here, is also void, so and that's because, yeah, the torsion, the full, as soon as you have a point of a given order, then the full torsion of that order will be defined over the same field or over a very small extension of that field, so depending on the model you use, and so in, especially in the super singular case, I think this theorem is as strong as it can be with the methods that we have, namely you will get the polynomial time algorithm in the field size and in the largest prime factor of the group you're interpolating, so the dependency on two disappears same here, okay, but here's an example of a case we cannot solve, and so maybe also some publicity in case people want to think about this, so this is an example of a case we cannot solve, oh imagine that E and D prime are ordinary, and say over the field of characteristic two or any small characteristic will do here, okay, and suppose that we know how the isogenic acts on a sufficiently large subgroup of order of power of two, so in this case this is a cyclic group, so that's a case where we cannot do anything, okay, so if the size of this group is bigger than four times D, and it's still true that the isogenic between E and E prime is uniquely determined, however our algorithm cannot tackle this, so we thought a little bit about using lifting arguments to characteristic zero, but then you get in trouble with this field of definitions of this full torsion, so this is yeah some problem that I would like to publicize if people want to have ideas on how to tackle that, okay, so I hope the problem statement and our theorem statement are clear, so now let's discuss the solution and let's first start with the solution by Damien Aubert in this particular case that I mentioned and that I will repeat now, so let's say this is section two, I don't know if I wrote down section one for the introduction, but this is section two and in section two we will study the case where the group is a full n torsion with, oh I forgot to mention, I think I didn't mention it exactly, so Robert it's the full n torsion where n is co-prime to the characteristic, but also a bigger assumption was that torsion level and the degree of the secret isogenic are co-prime, I forgot to mention that, so this will follow their paper, so okay, so let's say, let's recap, so we have our isogenic phi from e to d prime, it has degree d and we know how the isogenic acts on the n torsion, so let's take a basis of the n torsion, so we also know the images, it's called p1 prime as before and p2 prime and so yeah, we would like to evaluate this phi in any given goal compute phi of s for any given s, okay, so let's do a very special case, but which already contains all the ingredients, so a special case, so the special case that I want to discuss is where n, so the torsion level minus the degree is a perfect square, so later on this condition will be relaxed to being a sum of two squares or a sum of four squares and because every positive integer or every integer is a sum of every positive integer in sum of four squares, this will no longer be a condition, except that this still has to be positive and remember actually the assumption should be that the number of elements in this group is bigger than four times the degree of the isogenic, so the assumption is that n squared, which is the number of elements in this group, is bigger than four times, and so even assuming that this is positive is not immediately, not always true, okay, under this assumption, so let's just say it's not n would be bigger than two times squared, but we'll get back to that, okay, so the special case is where n is bigger than d and n minus d is a square, so then how do we solve this? Well, we consider the following isogenic between principally polarized Abelian surfaces and the Abelian surfaces are just E cross E prime with the product polarization to itself, so it will be an endomorphism and we write this endomorphism in matrix form, so this is multiplication by m, the same m as here, here we phi hat minus phi m, so how should you read this? So let's say you have a point pq here, then this is sent to m times p plus phi hat of q, and this will be the first component here, and then the second component will be minus phi of p plus m times q, okay, so it's really matrix that we put pq as a vector after this matrix and do the matrix multiplication, so I hope this notation is clear, so that's the isogenic that we will use, and note this is an isogenic of this n isogenic, say, in the sense that it splits, let's do this, yeah, this is a nice, or let's just write explicitly what I want to say with this, so the dual composes to multiplication by n, okay, so the dual with respect to the product polarization amounts to taking the conjugate transpose where conjugation should be as taking the dual component wise, so the computation, the relevant computation is then the following, and now you take the conjugate transpose, and if you work out what you get, you find m squared plus the degree, here you find m times minus phi hat plus phi hat times m, so you get zero, here also you get zero, and here you get degree again, m squared plus a degree again, but remember that m squared plus the degree is just n, okay, so this is indeed multiplication by that, so that's one thing to observe, and a second thing to observe is that yeah, or well it's on the same line, so let's state it immediately as an equality, so the kernel of phi is the set of points of the form mp phi p, where p runs through the n-dorsion, p, and now that we can write down a generator for this group thanks to the fact that we know the images of p1 and p2, this is just a group generated by p1, so the m times p1, and p1 prime, and this will be the big yeah, the big ingredient to the algorithm, the fact that we can write down the kernel of this phi thanks to the given interpolation data, so this is this group, so let's give a proof of this, so we just evaluate this capital phi in such a point, and so this gives you m squared times p plus d times p, and then this gives you zero, minus phi m and phi, so this is zero here, but this top thing is also zero right, because m squared plus d is n, and our point is a point of order n, so this is also zero, and so it follows that the kernel is a subgroup, sorry that this thing here, so the right-hand side say it's a subgroup of the kernel, but then it's easy to check that this is an n subgroup, so as a subgroup this is isomorphic to z mod n times z mod n, and so it has to be the full kernel, so it has the right number of elements, so now what is the conclusion? The conclusion is that we can write down the kernel of this big map explicitly, so that's right here, so you can explicitly write down the kernel of this big map, but this almost means that you can just immediately write down phi at least if n is smooth, so if n is smooth we can compute an isogenic with that kernel, but the kernel uniquely determines the isogenic up to post-composition with an isomorphism, so we can compute phi up to post-composition with an isomorphism, but typically you only have things like 1 times minus 1 or something, and that's easy to deal with. Okay, so what will happen in practice if you do this, you will split n as a product of the prime factors, and you assume that all these li are small, and then you can really compute an isogenic with that kernel, so it starts from b cross b prime, so let me really draw it like an x-axis times a y-axis, so here you have your two points, the point m times p1 prime, and you have the point m times p2 prime, and now you quotient out the subgroup generated by these two points, and you do it in steps, so you first multiply the subgroup with n divided by l1, so this gives you an l1 isogenic, or l1 l1 isogenic, could be more precise, this will not take you to e cross e prime, it will take you to some jacobian, so I should draw this something like this, so typically, well it could be a product exceptionally, but in general it's a jacobian of a genus 2 curve, and then you repeat this, and so on, and in the last step you do an lr, lr isogenic, and now it takes you back to this product of elliptic curves, so these small isogenes, they can be computed, so for instance, if l1 is 2, then there are explicit formulas due to Richelot for taking these steps, except for the first step and the last step, like which is a gluing step and a splitting step, you have to resort to other formulas, but they exist, they have been worked out, but in general you can resort to a method by Lubitsch and Robert for doing this for arbitrary l, as long as l is small, this is efficient. Okay, so we are almost there, from the interpolation data, we can write down this capital phi here, this big isogene between this product of elliptic curves and the same product of elliptic curves, we can write down the kernel, thanks to the given interpolation data, from the kernel we can compute this chain of isogenes, and we can now evaluate this big isogene in any point, and so now apologies for the messy board, now remember the goal is to compute phi of s, so what we are going to do is we are going to compute minus phi of s0, so if you compute minus phi of s0, then you will see if you put s0 here, so this gives you m times s, minus m times s, and it will give you phi of s, okay, and so you recover the desired phi of s as the second component, okay, so from the interpolation data you build the kernel of a higher dimensional isogene, you compute the isogene, you compute the image of s0 under that big isogene up to sign, and you recover the desired so that's the method, which remember is in a very special case, but it generalizes nicely, so I would like to now explain first on how to get rid of the assumption that n should be bigger than d, okay, so we assume that n is bigger than d, to end up with a positive number, and then we moreover hoped that that number was a square, but as I said this condition that the number is a square can be relaxed to be in a sum of four squares, so in fact only the positivity of this left-hand side becomes a crucial assumption, I will also mention a bit more about that later, but let's first try to relax this assumption that n minus d is positive to n minus square root of d is positive essentially, we'll do that now, so let's say special case one, special case two, and this is where n squared minus d is a square, okay, so this is now we assume that n minus square root of d is positive, and we are still assuming that this is square, so how do we proceed here? Well we proceed as before, so we again built this isogeny, let's again call it capital phi, same matrix, however we no longer know the kernel of phi, because the kernel of phi would now be everything of the form mp phi p, but p running over the n square torsion, copying the reasoning from before, but applying it to n squared, this is the kernel of phi, but we no longer know this kernel of phi, because we don't know how phi acts on the n square torsion, we only know how it acts on the n torsion, so the interpolation group remains the n group, so we don't know it, but we do know n times the kernel of phi, because n times the kernel of phi is just the same, but where you restrict to the n torsion, so that's really again the same subgroup as before, so what does this mean? Well we can't really quotient out the kernel of phi immediately, because we don't know it, but we can quotient out n times the kernel of phi, which basically means that we can do the first half of this work, so what it means is that this big phi, you can decompose it into an isogenic phi one, and this has kernel n times the kernel of capital phi, and then there's a phi two that we don't know yet, again taking us to the product here. Now in the interest of time, I won't explain it in detail, but the main ingredient here is not so hard to explain. What are we going to do? Well we are going to realize this, to compute this phi two by walking from right to left, in other words by computing the dual of phi, and remember the dual of phi in shape had a very similar format, so remember the dual of phi, let me use notation a bit and identify it with this matrix, so the dual of phi was this, and so n times, so by exactly the same reasoning, but just applying it to minus phi, n times the kernel of the dual of phi is m times p1 minus p1, m times p2 minus p2. So we know the kernel, we know the first half of the dual of phi, but the dual I said in the first half of that is exactly the phi two, or at least the dual of it that we are looking for. So this is the kernel of phi two dual, and so thanks to this we can essentially compute phi two dual. There's a bit of a subtlety here, because you have to glue this phi one and phi two dual in the middle in the correct way, so this will again in general be the chip only, you know, the units two per, it might exceptionally be a product, and so yeah, we can yeah, starting from here we can compute the dual of phi two, we can then take the dual of that again, and essentially have phi two and recover capital phi as the composition of yeah, let's say phi two dual dual, and then we proceed before. Okay, so I hope that idea is clear. So what we have done now is so recap, this solved the case n is bigger than, so let me write two, so the two here is needed, and that's for this automorphism to fix for this automorphism at the end, so I ignored this, but in any case, so this solves cases where n is essentially bigger than the square root of d, and n square minus d is a square, and now this can be generalized, so method generalizes to n square minus d being a sum of squares, and let me mention, so yeah, you can always work with r equals four, but the method generalizes also to a sum of two squares, and if it's a sum of two squares, it's actually much better to work with r equals two, but for the theorem it doesn't matter, so where phi gets replaced, and people working on a billion varieties will definitely recognize this with, yeah, the following map, so you go from e to the r plus e prime to the r, so potentially you go up to dimension eight in general, e r plus e prime to r, and the matrix is now an eight by eight matrix, and it takes this form, so here you take phi hat on the diagonal minus phi on the diagonal, and the main ingredient is the matrix A, which is such that A times A transpose equals A transpose times A equals n square minus d, so the sum of these squares and the identity, and such a matrix exists for articles, if articles want to work for, if articles for you can realize A as a matrix of multiplication, as a matrix of multiplication with the quaternion A1 plus A2i plus A3j plus A4k in the quaternion algebra, in the standard quaternion algebra, so this is reminiscent of a trick known as Zaharhin's trick, yeah, seemingly a big step to go from n square minus d being a square to n square minus d being a sum of squares, but that's I guess the big observation that Damien Robert had, that this is actually, that the generalization is relatively straightforward. Okay, so this is Damien Robert's version of the interpolation attack, so now let's, yeah, give some hints on how to solve the general case, so let's say a general case, at what time should I stop? Well, yeah, we started a bit later, maybe a few more minutes. Yeah, I'll try to give the main hints, so the general case, so this is actually the work that we did for this paper in progress, so the general case consists of two steps, two phases of two ingredients, so let's say two ingredients, so the first one is a generalization of the previous method, the case where G is still a full n-torsion group, really call it one or something, so it's still a full n-torsion group, but we dropped the assumption that where possibly the GCD of n and the degree of the isogenesis positive, or sorry, it's bigger than one, so that's a seemingly mild tweak, and indeed it's, yeah, indeed to respect, it is a mild modification of the method, I'll try to say something about it, but it's really crucial because that's what will come out of the second case, so in the second case we will reduce, so the general case say two case one, so there are tricks to, if you're facing an interpolation problem, there are tricks to reduce it to an interpolation problem where the, given where the group that you want to interpolate say is a full n-torsion group, but it's out of this, so the result of this reduction will almost never satisfy that the GCD is one, okay, so this is really crucial, so let me give a hint of two maybe in the interest of time, so yeah, solution two-two, so it will contain all the ingredients, but it's a bit more technical than I will explain now, so let's say for simplicity that the group is cyclic, G is generated by one point p1, okay, equals one, so that's definitely not of this form, so the order of p1 is n, and n is bigger than for v, okay, and we also now, we are given its image with p1 time, so we are facing an interpolation problem for one point of order n, where n satisfies the bound of the lemma that we started it, so the isogenic is uniquely determined, but this group is definitely not of this form, and so we cannot apply the method from before, and so the type of reduction works as follows, so we have our phi here, it goes from E to D prime, maybe like this, we have our point p1 here, and we know that p1 is not the p1 prime, so what we do is we extend p1 to a basis p1p2 of the n torsion, pick a p2 such that the n torsion is p1p2, we generate p1p2, and we do the same here, so we just pick any p2 prime such that the n torsion on E prime is generated by p1 prime, and let's also assume for simplicity that the dcd between n and d is 1, so this is an isogenic of the vd and n is co-prime, but we only are given of the isogenic actual model, so we extend as I said p1 to a basis p1p2 of the n torsion of E, we extend p1 prime to a basis p1 prime p2 prime of the n torsion of E prime, of course we do not know whether or not p2 is mapped to p2 prime or not, in general we would have to be very lucky for this to happen, but what we do know is that pi of p2 is a multiple, yeah is mapped to something of the form lambda times p2 prime plus mu times p1 prime, okay, so this is an n torsion point, so it has to be expressible in turn of the basis, and by this assumption here that's gcd of n and d is 1, in general if one can get rid of it, this lambda is a unit, and now by comparing the well pairing to the well pairing here, the other end, we can reduce to the case lambda is 1, so in other words we can compute lambda from the well pairing, yeah, and that uses this rule that well pairing is compatible with disogenes in this sense, okay, so what you do is you plug in pi of p2 here, you have p1 prime here, and you will get lambda out as an exponent, so you can compute lambda and by failing with lambda we can assume that p2 prime, but the coefficient that p2 prime is 1, okay, I hope that's clear, so okay, so we know that pi of p2 equals p2 prime, but we can't get rid, so this well pairing doesn't allow for this to get rid of this second component, so we still don't know the image of p2, however what we do now is we quotient out the subgroup generated by p1 prime, so seems like a strange thing to do, but the advantage is that we know the image of these points here, so yeah, this we do not know, because we compute the disogen yourself, so this one goes to zero, so we quotient it out, and this one goes to psi of p2 prime, psi ourselves, we know the image, but note that, so now note that if you look at psi composed with phi of p1, well that's phi of p1 and then you apply psi, so that takes us to zero, and psi composed with phi of p2, well, phi of p2 is this, but then psi annihilates p1, okay, so it heats this, and so this will also be psi of p2 prime, and so now we have this bigger isogenic, and we know how it acts on a basis of the n torsion, and moreover this bigger isogenic has degree n times d, which is, yeah, and this is smaller than the amount of the interpolating group, because the interpolating group is of size, yeah, so this thing here is bigger than four times that degree, because n was bigger than four times d, so you just multiply both sides here by n, and you get this, okay, so we have, from our interpolation problem, we have obtained a new interpolation problem, but where we know how the isogenic acts on the full n torsion, so we have reduced to phase one, and I hope that you see that this condition is very strongly violated here, so the isogenic psi composed with phi has degree n times d, so the gcd here will be n instead of 4, and so you need this generalization in order to proceed, but yeah, by lack of time, so the ingredients here are not super surprising, but it's a bit more technical, but this is kind of the main reduction, okay, so I think I'm running out of time, so I would like to stop here.