 Hello and welcome to this virtual presentation titled Rational Isogenes from Irrational Anomorphisms. I'm Lawrence and this is joint work with Walter and Frey from Leuven. So, as you might have guessed, this is a talk about isogeny-based cryptography, but I still want to start off by giving a very high level explanation of what our paper is about for people who don't know much about the underlying mathematics but still want to get the big picture of our work. So the most direct implications of our work concern a scheme called C-Side and that is basically just a cryptographic one-way group action, meaning it's an algorithm that takes two inputs. The first input is an element of an abelian group G and the second input is an element of a certain set X and then the output is another element of X and well being a group action means that this operation is compatible with the multiplication in G such that when you apply two group elements it's the same as applying the product of these group elements. Why is this interesting? Well, we can easily build a Diffie-Hellman style key exchange from this by essentially taking Diffie-Hellman and replacing the X pronunciation that's happening in Diffie-Hellman by this binary operation. So then the secret key space would be G and the public key space would be X and well it's easy to figure out that this works and for well-chosen group actions and we hope that C-Side is such a thing we can hope that this gives a post-quantum secure Diffie-Hellman non-interactive key exchange which is why this is kind of interesting. So one open problem that's sort of reasonably well-known among isogenic people is that of hashing into the set X. So that basically means you would like some method, some algorithm, some formula that essentially spits out elements of the set X in such a way that it's provable ideally or maybe plausible that nobody can know which element of G took you to this new element of X that your algorithm just produced. So sticking with the discrete log analogy that would mean you would like to just produce an element of your group where you can argue somehow that nobody knows the corresponding secret key with respect to some generator of your discrete log scheme and for DLP in fact we easily can do this for all the groups we care about. So for finite fields you can just write down a random number and it's good for it occurs you have to do a tiny little bit more work but basically you can very easily sample close to uniformly or uniformly from these groups. Unfortunately for this isogenic setting this is much harder. If you just write down a random bit string it has an exponentially small chance of being a representative of an element of X. So we have to do more work. Here is a complete survey of the known methods to produce elements of the set X besides dumb things like random guessing. The first one is you take some known element of X there are a few of these they are documented in the literature you can easily figure some out and then you pick a random element of your group that has enough entropy or something and you just apply it to this well-known public element and then you have a new element of X because that's what this group action did. But the problem is that obviously this doesn't serve our purpose right because well we know what the connecting element is because we chose it ourselves so you know this is definitely not the thing we want and the other method is and that is in fact actually the method how we even arrive at these few publicly known elements of X is to reduce a certain well-chosen elliptic curve over a number field modulo your prime P and then you know if this curve was chosen well enough it will in fact be an element of X and it's not immediately obvious how this new element is connected to the other known elements that we've obtained earlier that are just publicly known or at least that was the case until we wrote our paper and basically this is one of our main conclusions if we know a little tiny bit of information about this curve that's reduced modulo peer then we can easily write down what a certain group element is that connects this new curve that we just obtained to some other well-known curve that's existed forever. At this point I should also mention that this is very much related to parallel independent work by Wune and Love and well they basically arrive at the same conclusion using quite different point of view. Alright so after this very high level overview let me explain some more details that we'll need to describe our results. So among elliptic curve people it's relatively well known that if you consider an imaginary quadratic order that occurs as the anamorphism ring of an ordinary elliptic curve then the ideal class group of that ring acts on the set of all those curves that have this anamorphism ring and this action is free and transitive meaning that once you fix a base element it is a bijection. What's I believe much less well known is that in fact this also works for super singular elliptic curves if you restrict to curves defined over fp instead of fp squared and you also consider just the subring of anamorphisms that are defined over fp. So this again is an imaginary quadratic order whereas the full anamorphism ring of a super singular elliptic curve is non commutative and it's a maximal order in a quaternion algebra. So this is in fact the the main contribution of seaside using this action on a super singular as such a graph defined over fp for cryptography. So seaside is just the cm action of an imaginary quadratic order containing q adjoint squared minus p on the set of elliptic curves that are super singular necessarily defined over fp which have that order O as their fp anamorphism ring. Computationally how do we compute this action? Well the elements of the class group are represented by invertible ideals and so this ideals are subset of the anamorphism ring and the action on a certain curve e is given by well intersecting all the kernels of anamorphisms contained in this ideal and quotienting that out and by general elliptic curve isogeny theory we know that every finite subgroup is the kernel of anisogeny so this gives you anisogeny to a different curve and that's the output of your group action. You can prove that in fact this action is also free and transitive right so there's another problem here namely that generally computing the action of an arbitrary ideal is quite hard if you do it naively it's exponential time there's an algorithm that does it in sub exponential time but it's definitely not poly time so to make this action efficient we in fact restrict to ideals of a very special form namely there's some fixed choice of small prime ideals called l1 through ln and then we just take some small product combination of these prime ideals and use that as our secret keys and then you have to some more estimate the size of the key spaces and stuff to make this all big enough to cover the entire the entire public key space and and so on but this can be made work and then evaluating the action of this is very efficient because well each individual l can be applied quite efficiently and then doing this a small number of times is still efficient one main advantage of seaside compared to using the cm action on ordinary curves is that applying one of these prime ideals li is particularly cheap so the bottom line is that seaside gives you non-interactive key exchange that we expect to be post quantum secure and it's relatively fast at that so it's really sort of like a replacement for Duffy helman in many cases a helpful and quite common way to visualize this group action is through its schreyer graph which looks like the one shown on the slide here and this graph is made by taking all the elliptic curves in your set x as the nodes and then between two curves you draw an edge for each ideal in your set of generators l1 through ln that connects these two curves right so the colors here represent the different generators l1 through ln and then from each curve you have two outgoing edges for each color and that represents the action of l and l inverse so in a sense you can really interpret this secret key group operation as a random walk on this graph which maybe gives some intuition why this is potentially secure okay so in this slide i'm showing all the notation used in this talk um it's just here for reference so feel free to pause the video if you want to have a look at it i'm gonna skip it now cool so with the preliminaries out of the way we can finally start thinking about the actual problem that we were trying to solve um so suppose somebody just hands us a curve in the seaside graph for instance um and we're told or guaranteed that this curve has an irrational anamorphism of some prime degree l so irrational just means it's not defined over fp and we're asking ourselves the question where in the esogenous graph can this curve be can we somehow just learn something about a based on this knowledge that uh it has this anamorphism um so looking at a picture um this circle represents for example one of these esogenous cycles in the shari graph picture and uh yeah so here the situation is that a connects e0 to e and we're trying to figure out what a is given e0 and e and knowledge about this anamorphism of e so the first helpful fact to reason about this picture is to notice that it has at least in some cases and we're just going to consider these cases for now a certain symmetry namely it was already pointed out in the initial seaside paper that um in the special case that p is 3 mod 4 and you use this very specific curve um y squared equals x cubed plus x as your starting curve then um taking the quadratic twist of one of these curves in the graph basically means you're inverting the class group element that took you there from e0 so for short twisting means inverting the class group element that's a good rule of thumb to keep in mind and uh that alone doesn't tell you much yet but the second more crucial observation is that if you additionally assume and that's not always true but let's assume for now that um this anamorphism anticommutes with Frobenius then you can actually make an fp rational isogeny from e to its quadratic twist from that anamorphism by just composing with the isomorphism from e to its quadratic twist right so that that isomorphism is also not defined over fp but the composition of these two maps is defined over fp and the reason is basically that the isomorphism to the quadratic twist negates Frobenius so if before composing with this isomorphism the anamorphism was anticommutative with Frobenius afterwards it will be it will commute with Frobenius and that means it's an fp rational isogeny so basically knowing that this tau exists and assuming these extra conditions that I've just added on this slide tells you that there must be an edge from e to its quadratic twist in the L isogeny graph and that must come from the action of an ideal of norm l so I've just added this to the picture and now if we look at this picture very carefully we can see that the composition of a and a again and then in the middle this bit is just the green arrow labeled l plus or minus one well it's the entire circle right so we can just solve the equation arising from this picture and it's a quadratic equation and it tells you pretty much exactly what a squared is so we just observe that just knowing that this curve has this kind of special anamorphism that satisfies all these conditions on the last slide already allows you to learn a whole lot about the secret element a in fact it's defined up to the two tours in the class group and of course there's still a computational question of being able to compute the square root but let's get to that later for now the question is is this just a weird special case does this only happen for that very specific choice of parameters on the previous slide and well the answer is no so basically we're going to spend most of the rest of the talk on removing all of these conditions that I added on the last slide and just for brevity we'll quickly introduce the word twisting anamorphism for an anamorphism that anti-commutes with Frobenius all right so on this slide I've basically compiled our to-do list of questions that arise from this very special example that we've seen and so of course the very first question is can we even compute a when we're given a square can we compute square roots in the class group and it's not that obvious how to do this the next question is once we can compute a square root is it clear that there's not too many square roots like for all we know there could be so many square roots that you know it basically doesn't tell us anything about a so we need to somehow bound the size of the two torsion of this of this class group then the question is when are anamorphisms twisting is this very common can we expect this to happen do they even exist another question is well we've seen that this example worked partially because this very special starting curve E0 was right in the middle of of this isogeny cycle so it was basically on the axis of reflection of this twisting symmetry and so can we somehow generalize this idea to starting curves that aren't their own twist and finally can we generalize all of this to primes that aren't 3 mod 4 the first problem on the list is how to compute squares in the class group and the good news is that first of all gauss knew how to do this 222 years ago and it turns out that his method from back then is actually polynomial time now so that's pretty good if you happen to know the class number of this ring and it's odd then of course there's an easier way like in any group but computing the class number takes exponential time so this is much less efficient in general how many square roots are there so it's known that you can only get elements of order two in the class group at primes dividing the discriminant of the number field and in this case the discriminant is either minus p or minus 4p depending on the value of p modulo 4 so the only potentially bad prime devices are p and 2 let's have a look at what these give us for p dividing the discriminant well we just get the ideal generated by Frobenius but that's a principal ideal so it doesn't correspond to a non-trivial element of the class group for two dividing the discriminant we indeed get a non-principle ideal dividing two so this corresponds to an actual non-trivial element of the two torsion and the bottom line is that well the two torsion of the class group is either just the trivial group when p is 3 mod 4 or it's esomorphic to z mod 2 when p is 1 mod 4 and therefore a square element of the class group has either one or two square roots depending on what p mod 4 is and with this we finish discussing the first two points of our to-do list let's talk about twisting anamorphisms so recall that our goal was to locate reduced cm curves in the esogenous graph the question is how common is it for an anamorphism that comes from reducing a cm curve to be a twisting anamorphism to answer this question we got the following theorem that basically says well if the cm that this curve has is by an anamorphism of prime degree l that's smaller than about p quarters then the reduction is guaranteed to be a twisting anamorphism so yes in principle there is a restriction but for cryptographic purposes p is so massive that you can't even write down these curves for a larger l so I dare say practically speaking reduced cm anamorphisms are always twisting for the case we care about moreover if they aren't it's typically easy to find a twisting anamorphism if you're given just any irrational anamorphism this depends a bit on how these things are represented and some details but as a rule of thumb this is usually doable so we've got ourselves another check mark on the to-do list so if the starting curve is not as nice meaning it's not exactly in the middle of this picture right on the axis of reflection then it has a non-trivial quadratic twist somewhere else in the graph and this twist must be connected to the starting curve by some ideal class b as shown in the picture and then if we fill in the ural scenario that we're considering of an elliptic curve that has a twisting anamorphism of degree l we get a similar picture as before except that there's an extra twist of e in the picture and this is ideal class b but basically there's no reason why we can't still solve for this missing part a and if you write down the equation it looks just like before except with a little extra b stuck in there so basically this is no issue at all so yeah of course we can deal with starting curves that aren't their own twist the last question on the list is what if p is 1 mod 4 instead of 3 and the good news is that we've basically already dealt with all the issues that arise in this case while going through the other items on the list namely well if p is 1 mod 4 then the class group order is even so you get 2 instead of 1 square roots and there is no curve that sits right in the middle of this picture so there's no curve that's its own quadratic twist but everything else basically works the same it's just that this element of order 2 gives you an additional symmetry in this picture and you can actually sort of visualize it like this and if you stare at this picture for long enough it becomes kind of clear why this picture is not enough to distinguish which side of this circle you're on so that's why just using equations based on this picture you cannot distinguish how many copies of t there are in your secret ideal to figure out which square root is right you can either just try both and see which one works or there's actually a much much nicer solution which is in a recent e-print paper and that one breaks DDH for the case p is 1 mod 4 for this group action essentially by looking at this two torrent component and seeing if the defilement pairs are consistent with the with the two torrent parts and this can also be used to figure out which of these two choices is right in our scenario so that's our last check mark on the to-do list and we've essentially generalized this very special example from the beginning to a complete theory of what's going on here so based on all this stuff that we've just discussed we came up with the main theorem of our paper it structurally looks like this i'm not showing all the details but you can read up in our paper so basically for this cm reduction scenario where you take a cm curve and you are used in modulo p to get a super single elliptic curve we tell you exactly how many curves over fp there are that are reductions of these curves which combinations of fp and nomorphism ring and reduced cm ring are possible and finally and that's perhaps the most important thing cryptographically speaking where exactly in the esogenous graph all of these curves are so we tell you exactly how to get there from the special starting curve and it's important to point out that we formulate this theorem only for p equals 3 mod 4 because that's the interesting case for a c-side but similar results are most likely possible for p equals 1 mod 4 it's just that we didn't work it out exactly and didn't write it down okay so just in case the previous discussion seemed a bit abstract and detached from reality i'm going to show an example that shows just how explicit our methods are so in the c-side 512 parameter set it's actually true that p equals 11 mod 12 which means that this curve written down here y squared equals x cube plus 1 is also super singular because p is 2 mod 3 so where is it and well we figure out exactly where in the graph it is and how to get there from the starting curve chosen in the c-side 512 parameter set and this basically shows that you cannot possibly hope to use that curve as a non-vector publicly chosen random curve in the graph that nobody knows the secret key to on this last slide i want to talk about something that is actually a significant chunk of our paper but obviously it was impossible to present everything in this talk so i'll just give a short summary and i encourage you to have a look at the paper if you're interested so in the esoterany literature there's a thing known as the KL-PT algorithm named after coelater pt and tinol and what this algorithm does is well given a super singular elliptic curve defined over fp squared and given its entire anamorphism ring in some sufficiently explicit computationally useful representation you can use this to find an esoterany from some specific fixed curve zero to that curve e in polynomial time um however a priori usually this esoterany is not defined over fp and there's not really a reason for it to be so this doesn't really break c-side even if you reveal the entire anamorphism ring so the question is maybe we can actually reveal anamorphisms except those that are twisting because of course according to the earlier contents of this talk those break the scheme and our paper also addresses this question by basically giving an analog of the KL-PT algorithm for curves defined over fp so the scenario is you're given an elliptic curve defined over fp that's super singular and you're given its entire anamorphism ring so that's over the algebraic closure and then we output an ideal that connects that curve to some fixed starting curve in polynomial time there's one caveat here namely turning this into an actual esoterany still takes sub exponential time because well the output this ideal that is output here is not particularly nice and as i mentioned earlier when describing c-side evaluating a general ideal on a curve takes super polynomial time however we also resolve the obvious question that comes from this namely can you do better can you maybe do this in polynomial time and output a smooth ideal but we prove that this would imply that you can compute discrete logarithms in the class group of this imaginary quadratic field and i mean fundamentally there's no reason why this shouldn't be possible but it seems quite unlikely that this is just easy to do because people have thought about this problem all right that's the end of the presentation thanks for making it this far and enjoy the rest of the virtual conference