Unconditional foundations for supersingular isogeny-based cryptography

TL;DR

This work proves unconditional, polynomial-time reductions unifying core problems in supersingular isogeny-based cryptography, showing Isogeny, EndRing, OneEnd, MaxOrder, MOER, MaxOrder$_{\mathcal{Q}}$, and HomModule (and even $\ell$-IsogenyPath) are equivalent without GRH assumptions. It also establishes worst-case-to-average-case hardness: if any problem is hard in the worst case, all are hard on average for random instances, significantly strengthening security foundations for schemes like SQISign. The authors introduce novel approaches to overcome the lack of a GRH-based dictionary between endomorphisms and quaternions, including local endomorphism/quaternion correspondences via neighboring curves and the use of IsogenyInterpolation to translate between quaternionic data and isogenies. They further connect Isogeny and MOER through connecting ideals and the Kirschmer algorithm, and show HomModule can be reduced to Isogeny by leveraging EndRing data and structured isogeny computations. The results provide unconditional, robust links among foundational problems, supporting rigorous average-case security analyses for isogeny-based cryptography and clarifying the landscape of related decision and search problems.

Abstract

In this paper, we prove that the supersingular isogeny problem (Isogeny), endomorphism ring problem (EndRing) and maximal order problem (MaxOrder) are equivalent under probabilistic polynomial time reductions, unconditionally.Isogeny-based cryptography is founded on the presumed hardness of these problems, and their interconnection is at the heart of the design and analysis of cryptosystems like the SQIsign digital signature scheme. Previously known reductions relied on unproven assumptions such as the generalized Riemann hypothesis. In this work, we present unconditional reductions, and extend this network of equivalences to the problem of computing the lattice of all isogenies between two supersingular elliptic curves (HomModule).For cryptographic applications, one requires computational problems to be hard on average for random instances. It is well-known that if Isogeny is hard (in the worst case), then it is hard for random instances. We extend this result by proving that if any of the above-mentionned classical problems is hard in the worst case, then all of them are hard on average. In particular, if there exist hard instances of Isogeny, then all of Isogeny, EndRing, MaxOrder and HomModule are hard on average.

Figures (2)

• Figure 1: Summary of the relations between fundamental isogeny-based problems. All arrows are unconditional classical polynomial time reductions. Thin arrows have a $O(1)$ query-complexity, and thick arrows have a $\mathop{\mathrm{polylog}}\nolimits(p)$ query-complexity. Reductions with no reference are trivial, and all others are proved in the associated reference. Reductions involving ${{\normalfont\textsc{MaxOrder}}}_\mathcal{Q}$ require oracle access to $\mathcal{Q}$.
• Figure 2: Former state of the art of (conditional) reductions between foundational problems of isogeny-based cryptography. All arrows are classical polynomial time reductions. Thin arrows have a $O(1)$ query-complexity, and the thick arrow has a $\mathop{\mathrm{polylog}}\nolimits(p)$ query-complexity. Reductions with no reference are trivial, and all others are proved in the associated reference. The GRH label signifies that a reduction assumes the Generalized Riemann Hypothesis.

Theorems & Definitions (8)

• theorem thmcountertheorem
• theorem thmcountertheorem
• lemma thmcounterlemma: pizer_algorithm_1980
• proposition thmcounterproposition
• definition thmcounterdefinition: Efficient representation, following wesolowski_random_2024
• proposition thmcounterproposition: IsogenyInterpolation EPRINT:Robert24c
• proposition thmcounterproposition: IsogenyDivision, EPRINT:Robert22c and EPRINT:MerWes23
• proposition thmcounterproposition: IdealToIsogeny EPRINT:PagRob23