Skip to main content
Cryptography

Questions tagged [isogeny]

Ask Question

Elliptic curve isogenies are structure-preserving maps between elliptic curves which have been proposed as a foundation of post-quantum cryptosystems.

52 questions
Newest Active Bountied Unanswered
2 votes
1 answer
177 views

The reference is Algorithm 4.2 on page 40 in this document https://sqisign.org/spec/sqisign-20250707.pdf. I'm confused by lines 28-33. We have $I_{com,rsp}$ correspond to the isogeny $\varphi_{rsp}^{...
Myath's user avatar
  • 976
3 votes
2 answers
203 views

I have some questions to clarify my understanding about Deuring correspondence between quaternions and isogenies in SQIsign(2D) version 2.0.1 https://sqisign.org/ Let $E_0$ be an elliptic curve with ...
Myath's user avatar
  • 976
1 vote
1 answer
256 views

I have 2 Weierstrass curves defined over the same finite field. Both have $21888242871839275222246405745257275088548364400416034343698204186575808495617$ as common subgroup/suborder. If I’ve got 2 ...
user2284570's user avatar
  • 376
1 vote
1 answer
93 views

Some algorithms in isogeny-based crypto have a step that, given a point $P$ and an integer $n$, finds a point $Q$ such that $nQ = P$. What is the theory and algorithm for this?
Myath's user avatar
  • 976
2 votes
2 answers
201 views

I am originally a mathematician but I have started to examine the security properties of the PQC Isogeny-based protocols SQIsign and SQIsignHD. In various papers I came across various implications of ...
HyperPro's user avatar
  • 101
1 vote
0 answers
43 views

Is there a curve that supports both? Or are there two curves that can be mapped between using a 2-isogeny that support pairing checks on one and Montgomery ladders on the other? Is there a paper on it?...
Alex's user avatar
  • 11
0 votes
1 answer
141 views

If it is could you give me a paper that states it is possible? Thank you
Alex's user avatar
  • 3
3 votes
2 answers
352 views

I started studying CSIDH a few weeks ago and, seeing these papers [1] [2], I was wondering: Given $[a]E$ and $E$, find $[a]^{-1}E$. I read that is easy to find $[a]^{-1}E_0$ knowing $[a]E_0$ by ...
OptimalNailcutter1337's user avatar
  • 33
16 votes
1 answer
6k views

Wouter Castryck and Thomas Decru recently broke SIDH. From the abstract: We present an efficient key recovery attack on the Supersingular Isogeny Diffie-Hellman protocol (SIDH), based on a "glue-...
Danial's user avatar
  • 161
2 votes
0 answers
75 views

Let $\mathbb{F}_q$ be a large finite field. What if I invent how to efficiently construct pairs of elliptic "cryptographically strong" $\mathbb{F}_q$-curves $E_1$, $E_2$ isogenous over $\...
Dimitri Koshelev's user avatar
  • 495
1 vote
0 answers
71 views

What is an advantage of the Charles--Lauter--Goren hash function (based on isogenies of elliptic curves) among other provably secure collision-resistance hash functions ? I heard that it is slower.
Dimitri Koshelev's user avatar
  • 495
7 votes
1 answer
402 views

I am trying to study the CSIDH algorithm. I have some beginner background in elliptic curves and I have been following Andrew Sutherland's lectures (https://math.mit.edu/classes/18.783/2019/lectures....
honzaik's user avatar
  • 507
2 votes
0 answers
102 views

In [BGK+18] in section 4, Boneh et al. write that: For any choice of ideal classes $\mathfrak{a}_1,\dots,\mathfrak{a}_n,\mathfrak{a}_1',\dots,\mathfrak{a}_n'$ in ${Cl}(\mathcal{O})$, the abelian ...
jvdh's user avatar
  • 173
0 votes
1 answer
171 views

In the proof of soundness for the SIDH ZK proof protocol (section 6.2 in DJP11) the authors refer to the "Theorem of the dual isogeny". What do they mean by this? In particular, I don't ...
jvdh's user avatar
  • 173
3 votes
2 answers
241 views

In the original SIDH paper by De Feo, Jao and Plût, the basis points $P_A$ and $Q_A$ are supposed to be independent points in $E(\mathbb{F}_{p^2})$ of order $\ell_A^{e_A}$ for some small prime $\ell_A$...
Jo_K_Er's user avatar
  • 33

15 30 50 per page
1
2 3 4