Constructing elliptic curve isogenies in quantum subexponential time

TL;DR

This paper presents a subexponential-time quantum algorithm for constructing elliptic curve isogenies, challenging the presumed hardness of this problem and impacting the security assumptions of isogeny-based cryptography.

Contribution

It introduces the first subexponential quantum algorithm for elliptic curve isogenies, reducing the problem to a hidden shift problem and evaluating isogenies under GRH.

Findings

Quantum algorithm runs in subexponential time

Challenges the security of isogeny-based cryptosystems

Uses a reduction to the hidden shift problem

Abstract

Given two elliptic curves over a finite field having the same cardinality and endomorphism ring, it is known that the curves admit an isogeny between them, but finding such an isogeny is believed to be computationally difficult. The fastest known classical algorithm takes exponential time, and prior to our work no faster quantum algorithm was known. Recently, public-key cryptosystems based on the presumed hardness of this problem have been proposed as candidates for post-quantum cryptography. In this paper, we give a subexponential-time quantum algorithm for constructing isogenies, assuming the Generalized Riemann Hypothesis (but with no other assumptions). Our algorithm is based on a reduction to a hidden shift problem, together with a new subexponential-time algorithm for evaluating isogenies from kernel ideals (under only GRH), and represents the first nontrivial application of Kuperberg's quantum algorithm for the hidden shift problem. This result suggests that isogeny-based cryptosystems may be uncompetitive with more mainstream quantum-resistant cryptosystems such as lattice-based cryptosystems.