The generalized KLPT algorithm - École Polytechnique
Transcript of The generalized KLPT algorithm - École Polytechnique
![Page 1: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/1.jpg)
The generalized KLPT algorithm
Antonin Leroux
DGA, Inria Saclay
![Page 2: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/2.jpg)
Classical Cryptography
Current cryptography :
• The Integer Factorization Problem
• The Discrete Logarithm Problem
Hard for classical computers, solved in polynomial time on a quantum
computer using Shor’s Algorithm.
1
![Page 3: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/3.jpg)
Classical Cryptography
Current cryptography :
• The Integer Factorization Problem
• The Discrete Logarithm Problem
Hard for classical computers, solved in polynomial time on a quantum
computer using Shor’s Algorithm.
1
![Page 4: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/4.jpg)
Post-Quantum Cryptography
Post-Quantum Cryptography (PQC) → usable on classical computer but
resistant to quantum computers.
In 2016, the NIST launched a competition for PQC. Looked for
Signature and Key exchange protocols. Different Candidates :
• Lattice-based crypto
• Code-based crypto
• Multivariate-based crypto (Signatures only)
• Hash-based crypto (Signatures only)
• Isogeny-based crypto (Key exchange only)
For isogenies : SIKE a variant of the SIDH protocol (2011 by D. Jao and
L. De Feo).
2
![Page 5: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/5.jpg)
Table of contents
1. Isogeny-based cryptography
2. The Deuring Correspondence
3. The Quaternion `-isogeny Path Problem
4. Contribution
3
![Page 6: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/6.jpg)
Isogeny-based cryptography
![Page 7: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/7.jpg)
Isogeny notations
Separable isogeny:
φ : E → E ′
The degree is deg(φ) = | ker(φ)|.
The dual isogeny φ̂ : E ′ → E
φ̂ ◦ φ = [deg(φ)]E
4
![Page 8: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/8.jpg)
Isogeny notations
Separable isogeny:
φ : E → E ′
The degree is deg(φ) = | ker(φ)|.
The dual isogeny φ̂ : E ′ → E
φ̂ ◦ φ = [deg(φ)]E
4
![Page 9: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/9.jpg)
Isogeny notations
Separable isogeny:
φ : E → E ′
The degree is deg(φ) = | ker(φ)|.
The dual isogeny φ̂ : E ′ → E
φ̂ ◦ φ = [deg(φ)]E
4
![Page 10: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/10.jpg)
Endomorphism ring
An isogeny φ : E → E is an endomorphism. End(E ) is a ring with
addition and composition.
Examples: [n]E for n ∈ Z, Frobenius over Fp i.e π : (x , y)→ (xp, yp)
On elliptic curves over finite fields:
• Ordinary when End(E ) is an order of a quadratic imaginary field.
• Supersingular when End(E ) is a maximal order of a quaternion
algebra.
5
![Page 11: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/11.jpg)
Endomorphism ring
An isogeny φ : E → E is an endomorphism. End(E ) is a ring with
addition and composition.
Examples: [n]E for n ∈ Z, Frobenius over Fp i.e π : (x , y)→ (xp, yp)
On elliptic curves over finite fields:
• Ordinary when End(E ) is an order of a quadratic imaginary field.
• Supersingular when End(E ) is a maximal order of a quaternion
algebra.
5
![Page 12: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/12.jpg)
Endomorphism ring
An isogeny φ : E → E is an endomorphism. End(E ) is a ring with
addition and composition.
Examples: [n]E for n ∈ Z, Frobenius over Fp i.e π : (x , y)→ (xp, yp)
On elliptic curves over finite fields:
• Ordinary when End(E ) is an order of a quadratic imaginary field.
• Supersingular when End(E ) is a maximal order of a quaternion
algebra.
5
![Page 13: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/13.jpg)
Supersingular Isogeny Graph
Supersingular `-isogeny graph: Vertices are supersingular elliptic curves,
Edges are `-isogenies.
This graph is
• Finite
• Fully connected
• Regular
• Ramanujan (optimal expander graph)
6
![Page 14: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/14.jpg)
Supersingular Isogeny Graph
Supersingular `-isogeny graph: Vertices are supersingular elliptic curves,
Edges are `-isogenies.
This graph is
• Finite
• Fully connected
• Regular
• Ramanujan (optimal expander graph)
6
![Page 15: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/15.jpg)
Supersingular Isogeny Graph
Supersingular `-isogeny graph: Vertices are supersingular elliptic curves,
Edges are `-isogenies.
This graph is
• Finite
• Fully connected
• Regular
• Ramanujan (optimal expander graph)
6
![Page 16: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/16.jpg)
Supersingular Isogeny Graph
Supersingular `-isogeny graph: Vertices are supersingular elliptic curves,
Edges are `-isogenies.
This graph is
• Finite
• Fully connected
• Regular
• Ramanujan (optimal expander graph)
6
![Page 17: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/17.jpg)
Supersingular Isogeny Diffie Hellman
E0
EA
EAB
EB
EBA
φA
φB
φAB
φBA
'
7
![Page 18: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/18.jpg)
Supersingular Isogeny Problem
The underlying security problem:
Supersingular `-Isogeny Problem: Given a prime p and two
supersingular curves E1 and E2 over Fp2 , compute an `e-isogeny
φ : E1 → E2 for e ∈ N?.
8
![Page 19: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/19.jpg)
The Deuring Correspondence
![Page 20: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/20.jpg)
Quaternion Algebra
The quaternion algebra H(a, b) is
H(a, b) = Q + iQ + jQ + kQ
with i2 = a, j2 = b and k = ij = −ji .
Conjugates:
α = a1 + a2i + a3j + a4k 7−→ α = a1 − a2i − a3j − a4k
The reduced norm
n(α) = αα
9
![Page 21: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/21.jpg)
Quaternion Algebra
The quaternion algebra H(a, b) is
H(a, b) = Q + iQ + jQ + kQ
with i2 = a, j2 = b and k = ij = −ji .
Conjugates:
α = a1 + a2i + a3j + a4k 7−→ α = a1 − a2i − a3j − a4k
The reduced norm
n(α) = αα
9
![Page 22: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/22.jpg)
Quaternion Algebra
The quaternion algebra H(a, b) is
H(a, b) = Q + iQ + jQ + kQ
with i2 = a, j2 = b and k = ij = −ji .
Conjugates:
α = a1 + a2i + a3j + a4k 7−→ α = a1 − a2i − a3j − a4k
The reduced norm
n(α) = αα
9
![Page 23: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/23.jpg)
Order and ideals
Fractional ideals are Z-lattices of rank 4
I = α1Z + α2Z + α3Z + α4Z
The Reduced norm n(I ) = {gcd(n(α)), α ∈ I}
An order O is an ideal which is also a ring, it is maximal when not
contained in another order.
The (maximal) left order OL(I ) of an ideal is
OL(I ) = {α ∈ H(a, b), αI ⊂ I}
An ideal is integral when I ⊂ OL(I ).
The equivalence relation ∼ is I ∼ J when I = Jq for q ∈ H(a, b)?
10
![Page 24: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/24.jpg)
Order and ideals
Fractional ideals are Z-lattices of rank 4
I = α1Z + α2Z + α3Z + α4Z
The Reduced norm n(I ) = {gcd(n(α)), α ∈ I}
An order O is an ideal which is also a ring, it is maximal when not
contained in another order.
The (maximal) left order OL(I ) of an ideal is
OL(I ) = {α ∈ H(a, b), αI ⊂ I}
An ideal is integral when I ⊂ OL(I ).
The equivalence relation ∼ is I ∼ J when I = Jq for q ∈ H(a, b)?
10
![Page 25: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/25.jpg)
Order and ideals
Fractional ideals are Z-lattices of rank 4
I = α1Z + α2Z + α3Z + α4Z
The Reduced norm n(I ) = {gcd(n(α)), α ∈ I}
An order O is an ideal which is also a ring, it is maximal when not
contained in another order.
The (maximal) left order OL(I ) of an ideal is
OL(I ) = {α ∈ H(a, b), αI ⊂ I}
An ideal is integral when I ⊂ OL(I ).
The equivalence relation ∼ is I ∼ J when I = Jq for q ∈ H(a, b)?
10
![Page 26: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/26.jpg)
Order and ideals
Fractional ideals are Z-lattices of rank 4
I = α1Z + α2Z + α3Z + α4Z
The Reduced norm n(I ) = {gcd(n(α)), α ∈ I}
An order O is an ideal which is also a ring, it is maximal when not
contained in another order.
The (maximal) left order OL(I ) of an ideal is
OL(I ) = {α ∈ H(a, b), αI ⊂ I}
An ideal is integral when I ⊂ OL(I ).
The equivalence relation ∼ is I ∼ J when I = Jq for q ∈ H(a, b)?
10
![Page 27: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/27.jpg)
The Deuring Correspondence
Supersingular elliptic curves over Fp2 ←→ Maximal orders in Ap
Example : p ≡ 3 mod 4, Ap = H(−1,−p).
E0 : y2 = x3 + x and End(E0) ' 〈1, ι, ι+ π
2,
1 + ιπ
2〉
with π is the Frobenius and ι : (x , y) 7→ (−x ,√−1y)
11
![Page 28: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/28.jpg)
The Deuring Correspondence
Supersingular elliptic curves over Fp2 ←→ Maximal orders in Ap
Example : p ≡ 3 mod 4, Ap = H(−1,−p).
E0 : y2 = x3 + x and End(E0) ' 〈1, ι, ι+ π
2,
1 + ιπ
2〉
with π is the Frobenius and ι : (x , y) 7→ (−x ,√−1y)
11
![Page 29: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/29.jpg)
The Deuring Correspondence, Summary
Supersingular elliptic curve over Fp2 Maximal Orders in Ap
E0 O0 ' End(E0)
(E1, φ) with φ : E0 → E1 Iφ integreal left O0-ideal
deg(φ) n(Iφ)
φ̂ Iφ
φ : E0 → E1, ψ : E0 → E1 Equivalent Ideals Iφ ∼ Iψ
12
![Page 30: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/30.jpg)
The Quaternion `-isogeny Path
Problem
![Page 31: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/31.jpg)
The problem
The Quaternion `-Isogeny Path Problem is the problem corresponding to
the Supersingular `-Isogeny Problem through the Deuring
Correspondence.
Quaternion `-Isogeny Path Problem: Given a prime number p, a
maximal order O of Ap and I a left integral O-ideal, find J ∼ I of norm
`e for e ∈ N?.
This problem allows to reduce the Supersingular `-isogeny problem to the
computation of the endomorphism ring.
13
![Page 32: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/32.jpg)
A key lemma
Lemma
Let I be a left integral O-ideal and α ∈ I . Then, I αn(I ) is an integral left
O-ideal of norm n(α)n(I ) .
Solving the Quaternion `-Isogeny Path Problem reduces to solving a
norm equation over I .
14
![Page 33: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/33.jpg)
The solution of KLPT
In 2014, Kohel et al. polynomial time solution when O is a special
extremal order.
Algorithm KLPT:
Input: I , n(I ) = N
Output: J ∼ I
1. Find γ ∈ O of norm N`e0 .
2. Find ν0 such that γν0 ∈ I .
3. Find ν the strong approximation of ν0 of norm `e1 .
4. Output J = I βN with β = γν.
15
![Page 34: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/34.jpg)
The solution of KLPT
In 2014, Kohel et al. polynomial time solution when O is a special
extremal order.
Algorithm KLPT:
Input: I , n(I ) = N
Output: J ∼ I
1. Find γ ∈ O of norm N`e0 .
2. Find ν0 such that γν0 ∈ I .
3. Find ν the strong approximation of ν0 of norm `e1 .
4. Output J = I βN with β = γν.
15
![Page 35: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/35.jpg)
The solution of KLPT
In 2014, Kohel et al. polynomial time solution when O is a special
extremal order.
Algorithm KLPT:
Input: I , n(I ) = N
Output: J ∼ I
1. Find γ ∈ O of norm N`e0 .
2. Find ν0 such that γν0 ∈ I .
3. Find ν the strong approximation of ν0 of norm `e1 .
4. Output J = I βN with β = γν.
15
![Page 36: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/36.jpg)
The solution of KLPT
In 2014, Kohel et al. polynomial time solution when O is a special
extremal order.
Algorithm KLPT:
Input: I , n(I ) = N
Output: J ∼ I
1. Find γ ∈ O of norm N`e0 .
2. Find ν0 such that γν0 ∈ I .
3. Find ν the strong approximation of ν0 of norm `e1 .
4. Output J = I βN with β = γν.
15
![Page 37: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/37.jpg)
The solution of KLPT
In 2014, Kohel et al. polynomial time solution when O is a special
extremal order.
Algorithm KLPT:
Input: I , n(I ) = N
Output: J ∼ I
1. Find γ ∈ O of norm N`e0 .
2. Find ν0 such that γν0 ∈ I .
3. Find ν the strong approximation of ν0 of norm `e1 .
4. Output J = I βN with β = γν.
15
![Page 38: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/38.jpg)
The generic Solution
E0
E1
E2
φJ
τ1
φI
τ2
Input: φI , φJ
Output: τ2 ◦ τ̂1
16
![Page 39: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/39.jpg)
Contribution
![Page 40: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/40.jpg)
Pushforward isogenies
E
E ′
E ′′′
E ′′
φ
ψ
[φ]∗ψ
[ψ]∗φ
17
![Page 41: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/41.jpg)
The idea of the algorithm
E0 E1
E3 E2E4
φ
ψ[φ̂]∗ψτ [φ]τ
18
![Page 42: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/42.jpg)
When does E2 ' E4 ?
E0 E1
E3 E4E2
φ
[φ]∗ψ2ψ2ψ1 [φ]∗ψ1
LemmaGiven:
• Two isogenies ψ1, ψ2 from E0 to E3 of degree N1,N2, β = ψ̂2 ◦ ψ1
• φ : E0 → E1 of kernel 〈R〉 and degree N coprime with N1 and N2
E2 ' E4 ⇐ Iψ2 = Iψ1
β̄
N1and ∃λ ∈ Z/NZ? such that β − λ ∈ Iφ
19
![Page 43: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/43.jpg)
When does E2 ' E4 ?
E0 E1
E3 E4E2
φ
[φ]∗ψ2ψ2ψ1 [φ]∗ψ1
LemmaGiven:
• Two isogenies ψ1, ψ2 from E0 to E3 of degree N1,N2, β = ψ̂2 ◦ ψ1
• φ : E0 → E1 of kernel 〈R〉 and degree N coprime with N1 and N2
E2 ' E4 ⇐ Iψ2 = Iψ1
β̄
N1and ∃λ ∈ Z/NZ? such that β − λ ∈ Iφ
19
![Page 44: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/44.jpg)
The new generic algorithm
Algorithm GeneralizedKLPT:
Input: I a left O1 ideal, Iφ.
Output: J ∼ I of norm `e .
1. Compute I ′ =[Iφ̂
]∗I
2. Find β1 ∈ I ′ of norm N`e0 with KLPT.
3. Find ν0 ∈ O0 such that ∃λ ∈ Z?, such that β1ν − λ ∈ Iφ.
4. Find ν, the strong approximation of ν0 of norm `e1 .
5. Set β = β1ν, J ′ = I ′ βN and output J = [Iφ]∗ J′.
20
![Page 45: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/45.jpg)
The new generic algorithm
Algorithm GeneralizedKLPT:
Input: I a left O1 ideal, Iφ.
Output: J ∼ I of norm `e .
1. Compute I ′ =[Iφ̂
]∗I
2. Find β1 ∈ I ′ of norm N`e0 with KLPT.
3. Find ν0 ∈ O0 such that ∃λ ∈ Z?, such that β1ν − λ ∈ Iφ.
4. Find ν, the strong approximation of ν0 of norm `e1 .
5. Set β = β1ν, J ′ = I ′ βN and output J = [Iφ]∗ J′.
20
![Page 46: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/46.jpg)
The new generic algorithm
Algorithm GeneralizedKLPT:
Input: I a left O1 ideal, Iφ.
Output: J ∼ I of norm `e .
1. Compute I ′ =[Iφ̂
]∗I
2. Find β1 ∈ I ′ of norm N`e0 with KLPT.
3. Find ν0 ∈ O0 such that ∃λ ∈ Z?, such that β1ν − λ ∈ Iφ.
4. Find ν, the strong approximation of ν0 of norm `e1 .
5. Set β = β1ν, J ′ = I ′ βN and output J = [Iφ]∗ J′.
20
![Page 47: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/47.jpg)
The new generic algorithm
Algorithm GeneralizedKLPT:
Input: I a left O1 ideal, Iφ.
Output: J ∼ I of norm `e .
1. Compute I ′ =[Iφ̂
]∗I
2. Find β1 ∈ I ′ of norm N`e0 with KLPT.
3. Find ν0 ∈ O0 such that ∃λ ∈ Z?, such that β1ν − λ ∈ Iφ.
4. Find ν, the strong approximation of ν0 of norm `e1 .
5. Set β = β1ν, J ′ = I ′ βN and output J = [Iφ]∗ J′.
20
![Page 48: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/48.jpg)
The new generic algorithm
Algorithm GeneralizedKLPT:
Input: I a left O1 ideal, Iφ.
Output: J ∼ I of norm `e .
1. Compute I ′ =[Iφ̂
]∗I
2. Find β1 ∈ I ′ of norm N`e0 with KLPT.
3. Find ν0 ∈ O0 such that ∃λ ∈ Z?, such that β1ν − λ ∈ Iφ.
4. Find ν, the strong approximation of ν0 of norm `e1 .
5. Set β = β1ν, J ′ = I ′ βN and output J = [Iφ]∗ J′.
20
![Page 49: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/49.jpg)
The new generic algorithm
Algorithm GeneralizedKLPT:
Input: I a left O1 ideal, Iφ.
Output: J ∼ I of norm `e .
1. Compute I ′ =[Iφ̂
]∗I
2. Find β1 ∈ I ′ of norm N`e0 with KLPT.
3. Find ν0 ∈ O0 such that ∃λ ∈ Z?, such that β1ν − λ ∈ Iφ.
4. Find ν, the strong approximation of ν0 of norm `e1 .
5. Set β = β1ν, J ′ = I ′ βN and output J = [Iφ]∗ J′.
20
![Page 50: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/50.jpg)
Analysis of the solution
The KLPT algorithm for the special extremal case produces a solution of
norm `e where e ∼ 72 log`(p) = 1
2 log`(p) + 3 log`(p)1.
The solution of our algorithm has norm `e with
e ∼ 72 log`(p) + 3 log`(p) = 13
2 log`(p).
An optimization allows to reduce this term by log`(p), yielding a solution
of size 112 log`(p).
The output isogeny φI , does it reveal any information on φ?
1The size of the smallest solution is around log`(p).
21
![Page 51: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/51.jpg)
Analysis of the solution
The KLPT algorithm for the special extremal case produces a solution of
norm `e where e ∼ 72 log`(p) = 1
2 log`(p) + 3 log`(p)1.
The solution of our algorithm has norm `e with
e ∼ 72 log`(p) + 3 log`(p) = 13
2 log`(p).
An optimization allows to reduce this term by log`(p), yielding a solution
of size 112 log`(p).
The output isogeny φI , does it reveal any information on φ?
1The size of the smallest solution is around log`(p).
21
![Page 52: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/52.jpg)
Analysis of the solution
The KLPT algorithm for the special extremal case produces a solution of
norm `e where e ∼ 72 log`(p) = 1
2 log`(p) + 3 log`(p)1.
The solution of our algorithm has norm `e with
e ∼ 72 log`(p) + 3 log`(p) = 13
2 log`(p).
An optimization allows to reduce this term by log`(p), yielding a solution
of size 112 log`(p).
The output isogeny φI , does it reveal any information on φ?
1The size of the smallest solution is around log`(p).
21
![Page 53: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/53.jpg)
Analysis of the solution
The KLPT algorithm for the special extremal case produces a solution of
norm `e where e ∼ 72 log`(p) = 1
2 log`(p) + 3 log`(p)1.
The solution of our algorithm has norm `e with
e ∼ 72 log`(p) + 3 log`(p) = 13
2 log`(p).
An optimization allows to reduce this term by log`(p), yielding a solution
of size 112 log`(p).
The output isogeny φI , does it reveal any information on φ?
1The size of the smallest solution is around log`(p).
21
![Page 54: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/54.jpg)
Conclusion
A new solution to generic Quaternion `-isogeny path problem:
• Attacks and Security Reductions.
• A generalization of the signature protocol from Galbraith et al. in
2017.
• Other applications?
22
![Page 55: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/55.jpg)
Conclusion
A new solution to generic Quaternion `-isogeny path problem:
• Attacks and Security Reductions.
• A generalization of the signature protocol from Galbraith et al. in
2017.
• Other applications?
22
![Page 56: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/56.jpg)
Conclusion
A new solution to generic Quaternion `-isogeny path problem:
• Attacks and Security Reductions.
• A generalization of the signature protocol from Galbraith et al. in
2017.
• Other applications?
22
![Page 57: The generalized KLPT algorithm - École Polytechnique](https://reader031.fdocuments.us/reader031/viewer/2022012021/6168a44bd394e9041f716ff9/html5/thumbnails/57.jpg)
Thank you for your time.
22