The supersingular isogeny problem in genus 2 and beyond

TL;DR

This paper introduces an algorithm for navigating the supersingular isogeny graph in higher dimensions, improving efficiency over existing methods and enabling better cryptanalytic approaches for related cryptosystems.

Contribution

It presents the first asymptotic algorithm for the supersingular isogeny problem in genus greater than one, extending path-finding techniques to higher-dimensional abelian varieties.

Findings

Algorithm operates in O(p^{g-1}) classical steps

Quantum version requires O(\sqrt{p^{g-1}}) calls to Grover oracle

Provides asymptotic improvements over prior algorithms in higher genus cases

Abstract

Let $A/\overline{\mathbb{F}}\_p$ and $A'/\overline{\mathbb{F}}\_p$ be supersingular principally polarized abelian varieties of dimension $g>1$. For any prime $\ell \ne p$, we give an algorithm that finds a path $\phi \colon A \rightarrow A'$ in the $(\ell, \dots , \ell)$-isogeny graph in $\widetilde{O}(p^{g-1})$ group operations on a classical computer, and $\widetilde{O}(\sqrt{p^{g-1}})$ calls to the Grover oracle on a quantum computer. The idea is to find paths from $A$ and $A'$ to nodes that correspond to products of lower dimensional abelian varieties, and to recurse down in dimension until an elliptic path-finding algorithm (such as Delfs--Galbraith) can be invoked to connect the paths in dimension $g=1$. In the general case where $A$ and $A'$ are any two nodes in the graph, this algorithm presents an asymptotic improvement over all of the algorithms in the current literature. In the special case where $A$ and $A'$ are a known and relatively small number of steps away from each other (as is the case in higher dimensional analogues of SIDH), it gives an asymptotic improvement over the quantum claw finding algorithms and an asymptotic improvement over the classical van Oorschot--Wiener algorithm.