The supersingular Endomorphism Ring and One Endomorphism problems are equivalent

TL;DR

This paper proves the equivalence of the supersingular endomorphism ring problem and the one endomorphism problem, establishing new connections and algorithms in isogeny-based cryptography.

Contribution

It establishes the equivalence of two fundamental problems in supersingular elliptic curve cryptography and introduces a new framework for analyzing isogeny graphs.

Findings

Proves the problems are equivalent under probabilistic polynomial time reductions.

Shows the endomorphism ring problem implies collision resistance of certain cryptographic hash functions.

Provides an unconditional algorithm for solving the problem in time ~O(√p).

Abstract

The supersingular Endomorphism Ring problem is the following: given a supersingular elliptic curve, compute all of its endomorphisms. The presumed hardness of this problem is foundational for isogeny-based cryptography. The One Endomorphism problem only asks to find a single non-scalar endomorphism. We prove that these two problems are equivalent, under probabilistic polynomial time reductions. We prove a number of consequences. First, assuming the hardness of the endomorphism ring problem, the Charles--Goren--Lauter hash function is collision resistant, and the SQIsign identification protocol is sound. Second, the endomorphism ring problem is equivalent to the problem of computing arbitrary isogenies between supersingular elliptic curves, a result previously known only for isogenies of smooth degree. Third, there exists an unconditional probabilistic algorithm to solve the endomorphism ring problem in time O~(sqrt(p)), a result that previously required to assume the generalized Riemann hypothesis. To prove our main result, we introduce a flexible framework for the study of isogeny graphs with additional information. We prove a general and easy-to-use rapid mixing theorem. The proof of this result goes via an augmented Deuring correspondence and the Jacquet-Langlands correspondence.