Skip to main content
Cryptography

Questions tagged [isogeny]

Ask Question

Elliptic curve isogenies are structure-preserving maps between elliptic curves which have been proposed as a foundation of post-quantum cryptosystems.

53 questions
Newest Active Bountied Unanswered
2 votes
1 answer
142 views

The reference is Algorithm 4.2 on page 40 in this document https://sqisign.org/spec/sqisign-20250707.pdf. I'm confused by lines 28-33. We have $I_{com,rsp}$ correspond to the isogeny $\varphi_{rsp}^{...
Myath's user avatar
  • 966
3 votes
2 answers
171 views

I have some questions to clarify my understanding about Deuring correspondence between quaternions and isogenies in SQIsign(2D) version 2.0.1 https://sqisign.org/ Let $E_0$ be an elliptic curve with ...
Myath's user avatar
  • 966
1 vote
1 answer
222 views

I have 2 Weierstrass curves defined over the same finite field. Both have $21888242871839275222246405745257275088548364400416034343698204186575808495617$ as common subgroup/suborder. If I’ve got 2 ...
user2284570's user avatar
  • 283
1 vote
1 answer
88 views

Some algorithms in isogeny-based crypto have a step that, given a point $P$ and an integer $n$, finds a point $Q$ such that $nQ = P$. What is the theory and algorithm for this?
Myath's user avatar
  • 966
0 votes
0 answers
94 views

I already have equations for converting points but what are the equations for converting the elliptic curve’s equation themsevles ? I’m espescially interested in twisted Weirestrass since quadratic ...
user2284570's user avatar
  • 283
2 votes
2 answers
171 views

I am originally a mathematician but I have started to examine the security properties of the PQC Isogeny-based protocols SQIsign and SQIsignHD. In various papers I came across various implications of ...
HyperPro's user avatar
  • 101
1 vote
0 answers
42 views

Is there a curve that supports both? Or are there two curves that can be mapped between using a 2-isogeny that support pairing checks on one and Montgomery ladders on the other? Is there a paper on it?...
Alex's user avatar
  • 11
0 votes
1 answer
137 views

If it is could you give me a paper that states it is possible? Thank you
Alex's user avatar
  • 3
3 votes
2 answers
338 views

I started studying CSIDH a few weeks ago and, seeing these papers [1] [2], I was wondering: Given $[a]E$ and $E$, find $[a]^{-1}E$. I read that is easy to find $[a]^{-1}E_0$ knowing $[a]E_0$ by ...
OptimalNailcutter1337's user avatar
  • 33
16 votes
1 answer
6k views

Wouter Castryck and Thomas Decru recently broke SIDH. From the abstract: We present an efficient key recovery attack on the Supersingular Isogeny Diffie-Hellman protocol (SIDH), based on a "glue-...
Danial's user avatar
  • 161
2 votes
0 answers
67 views

Let $\mathbb{F}_q$ be a large finite field. What if I invent how to efficiently construct pairs of elliptic "cryptographically strong" $\mathbb{F}_q$-curves $E_1$, $E_2$ isogenous over $\...
Dimitri Koshelev's user avatar
  • 495
1 vote
0 answers
69 views

What is an advantage of the Charles--Lauter--Goren hash function (based on isogenies of elliptic curves) among other provably secure collision-resistance hash functions ? I heard that it is slower.
Dimitri Koshelev's user avatar
  • 495
7 votes
1 answer
382 views

I am trying to study the CSIDH algorithm. I have some beginner background in elliptic curves and I have been following Andrew Sutherland's lectures (https://math.mit.edu/classes/18.783/2019/lectures....
honzaik's user avatar
  • 507
2 votes
0 answers
101 views

In [BGK+18] in section 4, Boneh et al. write that: For any choice of ideal classes $\mathfrak{a}_1,\dots,\mathfrak{a}_n,\mathfrak{a}_1',\dots,\mathfrak{a}_n'$ in ${Cl}(\mathcal{O})$, the abelian ...
jvdh's user avatar
  • 173
0 votes
1 answer
163 views

In the proof of soundness for the SIDH ZK proof protocol (section 6.2 in DJP11) the authors refer to the "Theorem of the dual isogeny". What do they mean by this? In particular, I don't ...
jvdh's user avatar
  • 173

15 30 50 per page
1
2 3 4