Skip to content
BY 4.0 license Open Access Published by De Gruyter June 14, 2020

Multiparty Non-Interactive Key Exchange and More From Isogenies on Elliptic Curves

  • Dan Boneh EMAIL logo , Darren Glass , Daniel Krashen , Kristin Lauter , Shahed Sharif , Alice Silverberg , Mehdi Tibouchi and Mark Zhandry


We describe a framework for constructing an efficient non-interactive key exchange (NIKE) protocol for n parties for any n ≥ 2. Our approach is based on the problem of computing isogenies between isogenous elliptic curves, which is believed to be difficult. We do not obtain a working protocol because of a missing step that is currently an open mathematical problem. What we need to complete our protocol is an efficient algorithm that takes as input an abelian variety presented as a product of isogenous elliptic curves, and outputs an isomorphism invariant of the abelian variety.

Our framework builds a cryptographic invariant map, which is a new primitive closely related to a cryptographic multilinear map, but whose range does not necessarily have a group structure. Nevertheless, we show that a cryptographic invariant map can be used to build several cryptographic primitives, including NIKE, that were previously constructed from multilinear maps and indistinguishability obfuscation.

MSC 2010: 14K02; 14Q20; 11Y16; 94A60

1 Introduction

Let 𝔽q be a finite field, let E be an ordinary elliptic curve over 𝔽q, and let X be the set of isomorphism classes of elliptic curves over 𝔽q that are 𝔽q-isogenous to E. The set X is almost always large (containing on the order of q elements). Moreover, under suitable conditions on E, the set X is endowed with a free and transitive action ∗ by a certain abelian group G, which is the ideal class group of the endomorphism ring of E. The action ∗ maps a given gG and EX to a curve gEX.

This action, originally defined by Deuring [16], has a number of properties that makes it useful in cryptography. First, for a fixed curve EX, the map GX defined by ggE is believed to be a one-way function. In other words, given a random curve E′ ∈ X it is difficult to find an element gG such that E′ = gE. This suggests a Diffie–Hellman two-party key exchange protocol, proposed by Couveignes [14] and Rostovtsev and Stolbunov [38]: Alice chooses a random aG and publishes Ea := aE; Bob chooses a random bG and publishes Eb := bE. Their shared key is the curve Eab := (ab) ∗ E = aEb = bEa, which they can both compute. To ensure that both parties obtain the same key, their shared key is the j-invariant of the curve Eab. More recently, De Feo, Jao, and Plût [20], Galbraith [24], Castryck et al. [11], and De Feo, Kieffer, and Smith [21] proposed variants of this protocol with better security and efficiency. Moreover, a supersingular version of the isogeny problem was introduced and proposed as the basis for a collision resistant hash function [12]. Security of this one-way function was further studied in [19].

Second, as alluded to above, the star operator satisfies the following useful property: the abelian varieties A1 := (g1E) × ⋯ × (gnE) and A2 := (g1gn) ∗ E × En−1 are isomorphic for all g1, …, gnG (see Appendix A.4 of [3]). As we will see in the next section, this suggests an n-party non-interactive key exchange protocol, as well as many other cryptographic constructions. This property leads to a more general cryptographic primitive that we call a cryptographic invariant map, defined in the next section. This primitive has properties that are similar to those of cryptographic multilinear maps [6, 25], which have found numerous applications in cryptography (e.g, [4, 7, 26, 27]). We discuss applications of cryptographic invariant maps in Section 3. In Remark 4.4 we explain why we use ordinary and not supersingular elliptic curves. Section 4 describes our approach to constructing cryptographic invariant maps from isogenies. This work leads to the following question in algebraic geometry.

An open problem.   To make the cryptographic applications discussed above viable we must first overcome an important technical challenge. While the varieties A1 and A2 defined above are isomorphic, they are presented differently. Our applications require an efficient way to compute an invariant that is the same for A1 and A2. In addition, the invariant must distinguish non-isomorphic varieties. We do not know any such computable isomorphism invariant, and we present this as an open problem. In Section 5 we explain why some natural proposals for isomorphism invariants do not seem to work. In Remarks 2.4 and 4.2 we show that a solution to this open problem, even for n = 2, would solve the isogeny decision Diffie–Hellman problem. Further, we give evidence that computing a particular isomorphism invariant might be equivalent to solving the elliptic curve isogeny problem, which is believed (or hoped) to be a quantum-resistant hard problem. Thus, Section 5 might be useful from the point of view of cryptanalysis of isogeny-based cryptography.

2 Cryptographic invariant maps

Definition 2.1

Let X be a finite set and let G be a finite abelian group. We say that G acts efficiently on X freely and transitively if there is an efficiently computable map ∗ : G × XX such that:

  1. the map is a group action: g ∗ (hx) = (gh) ∗ x, and there is an identity element id ∈ G such that id ∗ x = x, for all xX and all g, hG;

  2. the action is transitive: for every (x, y) ∈ X × X there is a gG such that gx = y; and

  3. the action is free: if xX and g, hG satisfy gx = hx, then g = h.

Definition 2.2

By a cryptographic invariant map we mean a randomized algorithm MapGen that inputs a security parameter λ, outputs public parameters pp = (X, S, G, e), and runs in time polynomial in λ, where:

  1. X and S are sets, and X is finite,

  2. G is a finite abelian group that acts efficiently on X freely and transitively,

  3. e is a deterministic algorithm that runs in time polynomial in λ and n, such that for each n > 0, algorithm e takes λ as input and computes a map en : XnS that satisfies:

  1. Invariance property of en: for all xX and g1, …, gnG,

  2. Non-degeneracy of en : for all i with 1 ≤ in and


    the map XS defined by yen(x1, …, xi−1, y, xi+1, …, xn) is injective.

In our candidate instantiation for cryptographic invariant maps the set X is a set of isogenous elliptic curves and the group G acting on X is a class group. The elements of S are isomorphism invariants of products of elliptic curves.

Definition 2.2 is quite ambitious in that it asks that en be defined for all n > 0 and run in polynomial time in n (and λ). A cryptographic invariant map that is defined even for a single n > 2, and satisfies the security assumptions in the next subsection, would still be quite interesting. We require a construction that works for all n because our framework using elliptic curve isogenies seems to support it. Similarly, we note that a construction that works for all n > 0, but runs in time exponential in n is still useful. It would limit our ability to evaluate en to relatively small n, but that is still of great interest. In the first three proposals in Section 5 we study candidates for en that run in time exponential in n, satisfy the non-degeneracy property, but do not satisfy the invariance property. It is an open problem to find a map that also satisfies the invariance property.

Security assumptions.   Next, we define some security assumptions on cryptographic invariant maps. The notation xRX will denote an independent uniform random variable x over the set X. Similarly, we use xRA(y) to define a random variable x′ that is the output of a randomized algorithm A on input y.

The n-way computational Diffie–Hellman assumption states that, given only the public parameters and (g1x, …, gnx) ∈ Xn, it is difficult to compute en−1((g1gn) ∗ x, x, …, x). A precise definition is the following:

Definition 2.3

We say that MapGen satisfies the n-way computational Diffie–Hellman assumption (n-CDH) if for every polynomial time algorithm 𝓐,


is a negligible function of λ, when pp R MapGen(λ), g1, …, gnRG, and xRX.

Remark 2.4

The natural n-way decision Diffie–Hellman assumption on X does not hold when invariant maps exist. That is, for all n > 0 it is easy to distinguish (g1gn) ∗ xX from a random element of X, given only x, g1x, …, gnx. Given a challenge yX, simply check if


Equality holds if and only if y = (g1gn) ∗ x. However, in Definition 2.5 we define an n-way decision Diffie–Hellman assumption for en−1. It states that it is hard to distinguish en−1((g1gn) ∗ x, x, …, x) from a random element in the image of en−1, given only the public parameters, x, and (g1x, …, gnx) ∈ Xn.

Definition 2.5

We say that MapGen satisfies the n-way decision Diffie–Hellman assumption (n-DDH) if the following two distributions, 𝓟0 and 𝓟1, are polynomially indistinguishable, when pp R MapGen(λ), g1, …, gnRG, and xRX:

  1. 𝓟0 is (pp, g1x, …, gnx, s0) where s0 = en−1((g1gn) ∗ x, x, …, x),

  2. 𝓟1 is (pp, g1x, …, gnx, s1) where s1 is random in Im(en−1) ⊆ S.

3 Applications

We show that suitable cryptographic invariant maps can be used to solve a number of important problems in cryptography.

n-way Non-Interactive Key Exchange (NIKE).   We show how to use a cryptographic invariant map to construct a Non-Interactive Key Exchange (NIKE) protocol in which n parties create a shared secret key that only they can efficiently calculate, without any interaction among the n parties. Currently, secure n-party NIKE for n > 3 is only known from general purpose indistinguishability obfuscation (e.g., [8]). Our NIKE construction is similar to the one in [6, 25, 32] and satisfies a “static” notion of security.

  1. Setup(λ): run (X, S, G, e) R MapGen(λ) and choose xRX. Output pp := (X, S, G, e, x).

  2. For i = 1, …, n, party i chooses a random giRG, computes xi := gixX, and publishes xi on a public bulletin board.

  3. The shared key between the n-parties is


    Party i ∈ {1, …, n} computes k by obtaining x1, …, xn from the bulletin board, then choosing some j ∈ {1, …, n} where ji, and computing


    where xi is omitted from the input to en−1.

All n parties obtain the same key k by the invariance property of en−1. Static security follows from the n-way decision Diffie–Hellman assumption, as in [6]. Alternatively, we can rely on the weaker n-way computational Diffie–Hellman assumption by applying a hash function H : SK to the key k. We model H as a random oracle in the security analysis. We leave the question of an adaptively-secure NIKE, in the sense of [22, 37], from an invariant map for future work.

Unique signatures and verifiable random functions (VRF).   A digital signature scheme is made up of three algorithms: a key generation algorithm that outputs a public key and a secret key, a signing algorithm that signs a given message using the secret key, and a verification algorithm that verifies a signature on a given message using the public key. A signature scheme is a unique signature scheme if for every public key and every message, there is at most one signature that will be accepted as a valid signature for that message under the public key. While a number of unique signature schemes are known in the random oracle model (e.g., [2, 5]), it is quite hard to construct unique signatures without random oracles [17, 35]. Unique signatures are closely related to a simpler object called a verifiable random function, or VRF [36]. Previous results show how to construct unique signatures and VRFs from multilinear maps without random oracles [6]. The same constructions work with a cryptographic invariant map. The unique signature scheme works as follows: The secret key is a random (g1,0, g1,1, …, gn,0, gn,1) RG2n. The public key is (x, y1,0, …, yn,1) ∈ X2n+1 where xRX and yi,b := gi,bx for i = 1, …, n and b = 0, 1. The signature on an n-bit message m ∈ {0, 1}n is σ:=(i=1ngi,mi)xX. To verify a signature σ, check that en(σ, x, …, x) = en(y1,m1, …, yn,mn). The security analysis of this construction is the same as in [6].

Constrained PRFs and broadcast encryption.   We next describe how to construct constrained pseudorandom functions [7, 9, 33] for bit-fixing constraints from a cryptographic invariant map. Such constrained PRFs in turn can be used to build broadcast encryption with short ciphertexts [7].

A pseudorandom function (PRF) is a function F : 𝓚 × 𝓐 → 𝓑 that is computable in polynomial time. Here, 𝓚 is the key space, 𝓐 is the domain, and 𝓑 is the codomain. Intuitively, PRF security requires that, for a random key k ∈ 𝓚, an adversary who obtains pairs (a, F(k, a)), for a ∈ 𝓐 of its choice, cannot distinguish these pairs from pairs (a, f(a)) where f is a random function 𝓐 → 𝓑.

A bit-fixing constrained PRF is a PRF where a key k ∈ 𝓚 can be constrained to only evaluate the PRF on a subset of the domain 𝓐, where 𝓐 = {0, 1}n. Specifically, for V ⊆ [n] = {1, …, n} and a function v : V → {0, 1}, let 𝓐v = {a ∈ 𝓐:∀ iV, ai = v(i)}. A constrained key kv enables one to evaluate F(k, a) for all a ∈ 𝓐v, but reveals nothing about F(k, a) for a ∉ 𝓐v. We refer to [7] for the complete definition of this concept, and its many applications.

We now explain how to construct bit-fixing constrained PRFs from cryptographic invariant maps. The construction and security proof are essentially the same as in Boneh and Waters [7], but translated to our setting. One complication is that the construction of Boneh and Waters requires a way to operate on invariants in S. We get around this by delaying the evaluation of the invariant to the very last step. We thus obtain the following bit-fixing constrained PRF:

  1. Setup(λ): run (X, S, G, e) R MapGen(λ) and choose xRX.

    Next choose αRG and di,bRG for i ∈ [n] and b ∈ {0, 1}.

    Output the key k = (X, S, G, e, α, {di,b}i,b).

  2. The PRF is defined as: F(k,a)=en((α×i=1ndi,ai)x,x,,x).

    Here, a ∈ {0, 1}n specifies a subset product of the set of di,b’s.

  3. Constrain(k, v): Let V ⊆ [n] be the support of the function v, and assume V is not empty. The constrained key kv is constructed as follows. Set Di,b = di,bx for iV. Let i0 be the smallest element of V. Choose ∣V∣ − 1 random giG for iV ∖ {i0}, and set gi0 = α × ∏iVdi,vi × (∏iV∖{i0}gi)−1G. Let hi = gix for iV.

    The constrained key is kv = ({Di,b}iV,b∈{0,1}, {hi}iV).

  4. Eval(kv, a): To evaluate F(k, a) using the constrained key kv do the following. If a ∉ 𝓐v, output ⋄. Otherwise, for i = 1, …, n, let Ci = Di,ai if iV, and let Ci = hi otherwise. Output en(C1, …, Cn). Then, by construction,


The security proof is as in [7]. This construction can be further extended to a verifiable random function (VRF) by adapting Fuchsbauer [23] similarly.

Witness encryption.   Witness encryption, due to Garg et al. [27], can be used to construct Identity-Based Encryption, Attribute-Based Encryption, broadcast encryption [42], and secret sharing for NP statements. Witness encryption is a form of encryption where a public key is simply an NP statement, and a secret key is a witness for that statement. More precisely, a witness encryption scheme is a pair of algorithms:

  1. Enc(x, m) is a randomized polynomial-time algorithm that takes as input an NP statement x and a message m, and outputs a ciphertext c;

  2. Dec(x, w, c) is a deterministic polynomial-time algorithm that takes as input a statement x, supposed witness w, and ciphertext c, and attempts to produce the message m.

We require that if w is a valid witness for x, then for any message m, if cR Enc(x, m), then Dec(x, w, c) outputs m with probability 1.

The basic notion of security for witness encryption is soundness security, which requires that if x is false, then Enc(x, m) hides all information about m. A stronger notion called extractable security, due to Goldwasser et al. [28], requires, informally, that if one can learn any information about m from Enc(x, m), then it must be the case that one “knows” a witness for x.

We briefly describe how to construct witness encryption from invariant maps. It suffices to give a construction from any NP-complete problem. There are at least two natural constructions from multilinear maps that we can use. One approach is to adapt the original witness encryption scheme of Garg et al. [27] based on the Exact Cover problem. This approach unfortunately also requires the same graded structure as needed by Boneh and Waters [7]. However, we can apply the same ideas as in our constrained PRF construction to get their scheme to work with invariant maps. Another is the scheme of Zhandry [42] based on Subset Sum.[1]

As with the constructions of Garg et al. and Zhandry, the security of these constructions can be justified in an idealized attack model for the cryptographic invariant map, allowing only the operations explicitly allowed by the map–-namely the group action and the map operation. Justification in idealized models is not a proof, but provides heuristic evidence for security.

4 Cryptographic invariant maps from isogenies

We begin by recalling some facts that are presented in more detail in Appendix A of [3]. Let E be an ordinary elliptic curve over a finite field 𝔽q such that the ring ℤ[π] generated by its Frobenius endomorphism π is integrally closed. This implies in particular that ℤ[π] is the full endomorphism ring 𝒪 of E. Let Cl(𝒪) denote the ideal class group of this ring, and let Ell(𝒪) denote the isogeny class of E; that is, isomorphism classes of elliptic curves over 𝔽q which are 𝔽q-isogenous to E. There exists a free and transitive action ∗ of Cl(𝒪) on Ell(𝒪), and there is a way to represent elements of Cl(𝒪) (namely, as products of prime ideals of small norm) that makes this action efficiently computable. Moreover, one can efficiently sample close to uniform elements in Cl(𝒪) under that representation. In addition, the “star operator” ∗ satisfies the following property: for any choice of ideal classes 𝔞1, …, 𝔞n, 𝔞′1, …, 𝔞′n in Cl(𝒪), the abelian varieties


are isomorphic over 𝔽q if and only if 𝔞1 ⋯ 𝔞n = 𝔞′1 ⋯ 𝔞′n in Cl(𝒪). In particular:


Denote by Ab(E) the set of abelian varieties over 𝔽q that are a product of the form (2), and assume that we can efficiently compute an isomorphism invariant for abelian varieties in Ab(E). In other words, assume that we have an efficiently computable map isom : Ab(E) → S to some set S that to any tuple E1, …, En of elliptic curves isogenous to E associates an element isom(E1 × ⋯ × En) of S such that isom(E1 × ⋯ × En) = isom(E1 × ⋯ × En) if and only if the products E1 × ⋯ × En and E1 × ⋯ × En are isomorphic as abelian varieties. The curves Ei are given for example by their j-invariants, and in particular, the ideal classes 𝔞i such that Ei ≅ 𝔞iE are not supposed to be known.

Based on such an isomorphism invariant isom, we construct a cryptographic invariant map as follows. The algorithm MapGen(λ) computes a sufficiently large base field 𝔽q, and an elliptic curve E over 𝔽q such that the ring ℤ[π] generated by its Frobenius endomorphism is integrally closed (this can be done efficiently: see again Appendix A of [3]). The algorithm then outputs the public parameters pp = (X, S, G, e) where:

  1. X = Ell(𝒪) is the isogeny class of E over 𝔽q;

  2. S is the codomain of the isomorphism invariant isom;

  3. G = Cl(𝒪) is the ideal class group of 𝒪; and

  4. the map en : XnS is given by en(E1, …, En) = isom(E1 × ⋯ × En).

The facts recalled at the beginning of this section show that G acts efficiently on X freely and transitively in the sense of Definition 2.1, and that the properties of Definition 2.2 are satisfied. In particular, the invariance property follows from (2), and the non-degeneracy from the fact that the abelian varieties in (1) are isomorphic only if the corresponding products of ideal classes coincide. Thus, this approach does provide a cryptographic invariant map assuming isom exists.

Remark 4.1

In the 2-party case, the NIKE protocol obtained from this construction coincides with the isogeny key exchange protocols over ordinary curves described by Couveignes [14] and Rostovtsev–Stolbunov [38].

Remark 4.2

The existence of isom breaks the isogeny decision Diffie–Hellman problem. Indeed, given three elliptic curves (𝔞 ∗ E, 𝔟 ∗ E, 𝔠 ∗ E) isogenous to E, one can check whether 𝔠 = 𝔞𝔟 in Cl(𝒪) by testing whether the surfaces (𝔠 ∗ E) × E and (𝔞 ∗ E) × (𝔟 ∗ E) are isomorphic. This does not prevent the construction of secure NIKE protocols (as those can be based on the computational isogeny Diffie–Hellman problem by applying a hash function: see Section 3), but currently, no efficient algorithm is known for this isogeny decision Diffie–Hellman problem.

Remark 4.3

For certain applications, it would be interesting to be able to hash to the set X = Ell(𝒪), i.e., construct a random-looking curve E′ in the isogeny class of E without knowing an isogeny walk from E to E′. An equivalent problem is to construct a random-looking elliptic curve with exactly #E(𝔽q) points over 𝔽q. This seems difficult, however; the normal way of doing so involves the CM method, which is not efficient when the discriminant is large.

Remark 4.4

One can ask whether this construction extends to the supersingular case. Over 𝔽p2 with p prime, the answer is clearly no, as the isogeny class of a supersingular elliptic curve is not endowed with a natural free and transitive group action by an abelian group. More importantly, isomorphism classes of products of isogenous supersingular elliptic curves over 𝔽q are essentially trivial at least in a geometric sense. Indeed, according to a result of Deligne (see [39, Theorem 3.5]), if E1, …, En,E1, …, En are all isogenous to a supersingular elliptic curve E, then E1 × ⋯ × EnE1 × ⋯ × En over 𝔽q as soon as n ≥ 2. In fact, the result holds over any extension of the base field over which all the endomorphisms of E are defined, so already over 𝔽p2. However, for a supersingular elliptic curve E over a prime field 𝔽p, the number of 𝔽p-isomorphism classes of products E1 × ⋯ × En with all Ei isogenous to E can be large. For example, this is shown when n = 2 in [41, Section 5]. Therefore, one could conceivably obtain a “commutative supersingular” version of the construction above, which would generalize the recent 2-party key exchange protocol CSIDH [11], assuming that 𝔽p-isomorphism invariants can be computed in that setting. Since those invariants must be arithmetic rather than geometric in nature, however, this seems even more difficult to achieve than in the ordinary case.

5 Some natural candidate cryptographic invariant maps

In order to instantiate a cryptosystem based on the ideas in this paper, it remains to find an efficiently computable map isom : Ab(E) → S for some set S, as in the previous section. Below we give evidence that several natural candidates fail, either because efficiently computing them would break the cryptographic security, or because they are not in fact isomorphism invariants.

Our primary roadblock is that while E1 × ⋯ × En and E1 × ⋯ × En can be isomorphic as unpolarized abelian varieties, they are not necessarily isomorphic as polarized abelian varieties with their product polarizations. The first three proposals below for invariants are invariants of the isomorphism class as polarized abelian varieties, but are not invariants of the isomorphism class as unpolarized abelian varieties. We do not know a way for the different parties to choose polarizations on their product varieties in a compatible way, to produce the same invariant, without solving the elliptic curve isogeny problem.

At present, we do not know an invariant of abelian varieties in dimension ≥ 2 that does not require choosing a polarization, with the exception of what we call the “Deligne invariant”, described below.

The theta null invariant.   One natural candidate is given by Mumford′s theta nulls, presented in detail in Appendix B of [3]. Unfortunately, in order to compute even a single theta null, one must first choose a principal polarization, and the resulting invariant does depend on this choice of polarization in a crucial way. In [3, Proposition B.7] we show that, as a result, the theta nulls do not in fact provide an isomorphism invariant as unpolarized abelian varieties.

Igusa invariants.   Suppose n = 2 and End EQQ(d) with d ∈ ℕ square-free. If d ≠ 1, 3, 7, 15, then for E1 and E2 in the isogeny class of E, the product E1 × E2 is the Jacobian of a genus 2 curve C (see [30]). It is possible to compute such a genus 2 curve C, given a suitable principal polarization on E1 × E2. For each such C, one could then compute the Igusa invariants [31] of C. The number of genus 2 curves C such that E1 × E2 is isomorphic to the Jacobian variety of C is large ([29] and [34, Theorem 5.1]), and unfortunately the Igusa invariants are different for different choices of C. There are many principal polarizations on each element of Ab(E), and no compatible way for the different parties to choose the same one.

Invariants of Kummer surfaces.   When n = 2, another approach is to consider the Kummer surface of A = E1 × E2, which is the quotient K = A/{±1}. The surface K itself does not depend on a polarization. But extracting an invariant from K, for example as in [10, Chapter 3], does depend on having a projective embedding of K.

Deligne invariant.   A natural candidate is an isomorphism invariant studied by Deligne [15]. Suppose A is an ordinary abelian variety over k = 𝔽q. The Serre-Tate canonical lift of A to characteristic 0 produces an abelian variety over the ring of Witt vectors W(). Fixing an embedding α of W() into ℂ, we can view this lift as a complex abelian variety A(α). Let Tα(A) denote the first integral homology group of A(α). The theorem in [15, §7] shows that ordinary abelian varieties A and B over 𝔽q are isomorphic if and only if there is an isomorphism Tα(A) → Tα(B) that respects the action of F.

A natural candidate for a cryptographic invariant map is the map that sends (E1, …, En) to the isomorphism invariant


Specifying the isomorphism class of Tα(E1 × ⋯ × En) as a ℤ[F]-module is equivalent to specifying the action of F as a 2n × 2n integer matrix, unique up to conjugacy over ℤ. However, we show in Theorem 5.1 below that being able to compute Tα(E) for an elliptic curve E in polynomial time would yield a polynomial-time algorithm to solve the elliptic curve isogeny problem of recovering 𝔞 given E and 𝔞∗ E, and conversely.

Theorem 5.1

An efficient algorithm to compute Deligne invariantsTα(E) on an isogeny class of ordinary elliptic curves over a finite fieldkgives an efficient algorithm to solve the elliptic curve isogeny problem in that isogeny class. Conversely, an efficient algorithm to solve the elliptic curve isogeny problem on an isogeny class of ordinary elliptic curves overkyields an efficient algorithm to compute, for some embeddingα : W() ↪ ℂ, the Deligne invariantsTα(E) on the isogeny class.


Suppose that E1 and E2 are in the isogeny class, and suppose that for i = 1, 2 we have a ℤ-basis {ui, vi} for Tα(Ei) and a 2 × 2 integer matrix giving the action of F with respect to this basis. We will efficiently compute a fractional ideal 𝔞 such that 𝔞 ∗ E1E2.

Let f(t) be the characteristic polynomial of Frobenius acting on E1 or E2; these are the same since E1 and E2 are isogenous. Let R = ℤ[t]/(f) and R = R ℚ. Then Tα(Ei) is a rank one R-module, with t acting as F. Compute ai, bi ∈ ℤ such that F(ui) = aiui + bivi. Let 𝔞i be the fractional R-ideal generated by 1 and (tai)/bi. Compute and output a=a1a21.

We claim that 𝔞 ∗ E1E2. Define λi : Tα(Ei) ↪ R by sending wTα(Ei) to the unique λi(w) ∈ R such that λi(w) ⋅ ui = w. Then λi(ui) = 1 and λi(vi) = (tai)/bi, so the fractional ideal 𝔞i is the image of the map λi. Suppose M is a positive integer such that M𝔞 is an integral ideal of R, and let h=λ21Mλ1. Then h(Tα(E1)) is an R-submodule of Tα(E2). By [15, §7], the map ETα(E) is a fully faithful functor, i.e., it induces a bijection


Thus h arises from a unique isogeny ϕ : E1E2. By [15, §4], the kernel of ϕ is isomorphic as an R-module to Tα(E2)/h(Tα(E1)). The latter R-module is isomorphic to R/M𝔞, and hence is exactly annihilated by M𝔞. Thus ker(ϕ) ≅ E1[M𝔞], so E2E1/E1[M𝔞] ≅ (M𝔞) ∗ E1. Since M𝔞 and 𝔞 are in the same ideal class, we have E2 ≅ 𝔞 ∗ E1, as desired. Fractional ideals can be inverted in polynomial time by [1, Algorithm 5.3] or [13, § 4.8.4] (see [1, p. 21] for the complexity).

Conversely, suppose we have an algorithm that efficiently solves the isogeny problem in the isogeny class of an ordinary elliptic curve E0. Take R as above. We show below that there exists an embedding α : W() ↪ ℂ such that Tα(E0) ≅ R. Given E isogenous to E0, use the isogeny problem algorithm to compute 𝔞 such that E0 ≅ 𝔞 ∗ E. Output Tα(E) = 𝔞.

It remains to show that an embedding α : W() ↪ ℂ exists such that Tα(E0) ≅ R and Tα(E) = 𝔞. We follow an argument in the proof of [18, Theorem 2.1]. There exists an elliptic curve E′ over ℂ with CM by R for which H1(E′,ℤ) ≅ R as R-modules. Take any embedding β : W() ↪ ℂ. Then the complex elliptic curve E0(β) has CM by R, and by the theory of complex multiplication there exists σ ∈ Gal(ℂ/ℚ) such that E=σ(E0(β))=E0(σβ). Let α = σβ. By construction, Tα(E0) = H1(E′, ℤ) ≅ R. Further, by [40, Prop. II.1.2], Tα(E) ≅ 𝔞 ⊗RTα(E0) ≅ 𝔞, as claimed.□


We thank the American Institute of Mathematics (AIM) for supporting a workshop on multilinear maps where the initial seeds for this work were developed, and the Banff International Research Station (BIRS) where our collaboration continued. We also thank Michiel Kosters and Yuri Zarhin. Boneh was partially supported by NSF, DARPA, and ONR. Silverberg was partially supported by a grant from the Alfred P. Sloan Foundation and NSF grant CNS-1703321.


[1] Karim Belabas, Topics in computational algebraic number theory, J. Théor. Nombres Bordeaux16 (2004), 19–63.10.5802/jtnb.433Search in Google Scholar

[2] Mihir Bellare and Phillip Rogaway, The Exact Security of Digital Signatures: How to Sign with RSA and Rabin, in: EUROCRYPT’96 (Ueli M. Maurer, ed.), LNCS 1070, pp. 399–416, Springer, Heidelberg, May 1996.10.1007/3-540-68339-9_34Search in Google Scholar

[3] Dan Boneh, Darren Glass, Daniel Krashen, Kristin Lauter, Shahed Sharif, Alice Silverberg, Mehdi Tibouchi and Mark Zhandry, Multiparty Non-Interactive Key Exchange and More From Isogenies on Elliptic Curves, Cryptology ePrint Archive, Report 2018/665, 2018, in Google Scholar

[4] Dan Boneh, Kevin Lewi, Mariana Raykova, Amit Sahai, Mark Zhandry and Joe Zimmerman, Semantically Secure Order-Revealing Encryption: Multi-input Functional Encryption Without Obfuscation, in: EUROCRYPT 2015, Part II (Elisabeth Oswald and Marc Fischlin, eds.), LNCS 9057, pp. 563–594, Springer, Heidelberg, April 2015.10.1007/978-3-662-46803-6_19Search in Google Scholar

[5] Dan Boneh, Ben Lynn and Hovav Shacham, Short Signatures from the Weil Pairing, in: ASIACRYPT 2001 (Colin Boyd, ed.), LNCS 2248, pp. 514–532, Springer, Heidelberg, December 2001.10.1007/3-540-45682-1_30Search in Google Scholar

[6] Dan Boneh and Alice Silverberg, Applications of multilinear forms to cryptography, Contemporary Mathematics324 (2003), 71–90.10.1090/conm/324/05731Search in Google Scholar

[7] Dan Boneh and Brent Waters, Constrained Pseudorandom Functions and Their Applications, in: ASIACRYPT 2013, Part II (Kazue Sako and Palash Sarkar, eds.), LNCS 8270, pp. 280–300, Springer, Heidelberg, December 2013.10.1007/978-3-642-42045-0_15Search in Google Scholar

[8] Dan Boneh and Mark Zhandry, Multiparty key exchange, efficient traitor tracing, and more from indistinguishability obfuscation, Algorithmica79 (2017), 1233–1285, Extended abstract in Crypto 2014.10.1007/978-3-662-44371-2_27Search in Google Scholar

[9] Elette Boyle, Shafi Goldwasser and Ioana Ivan, Functional Signatures and Pseudorandom Functions, in: PKC 2014 (Hugo Krawczyk, ed.), LNCS 8383, pp. 501–519, Springer, Heidelberg, March 2014.10.1007/978-3-642-54631-0_29Search in Google Scholar

[10] John W. S. Cassels and E. Victor Flynn, Prolegomena to a middlebrow arithmetic of curves of genus 2, London Mathematical Society Lecture Note Series 230, Cambridge University Press, Cambridge, 1996.10.1017/CBO9780511526084Search in Google Scholar

[11] Wouter Castryck, Tanja Lange, Chloe Martindale, Lorenz Panny and Joost Renes, CSIDH: An Efficient Post-Quantum Commutative Group Action, Cryptology ePrint Archive, Report 2018/383, 2018, in Google Scholar

[12] Denis Xavier Charles, Kristin E. Lauter and Eyal Z. Goren, Cryptographic Hash Functions from Expander Graphs, Journal of Cryptology22 (2009), 93–113.10.1007/s00145-007-9002-xSearch in Google Scholar

[13] Henri Cohen, A course in computational algebraic number theory, Graduate Texts in Mathematics 138, Springer-Verlag, Berlin, 1993.10.1007/978-3-662-02945-9Search in Google Scholar

[14] Jean-Marc Couveignes, Hard Homogeneous Spaces, Cryptology ePrint Archive, Report 2006/291, 2006, in Google Scholar

[15] Pierre Deligne, Variétés abéliennes ordinaires sur un corps fini, Invent. Math. 8 (1969), 238–243.10.1007/BF01406076Search in Google Scholar

[16] Max Deuring, Die Typen der Multiplikatorenringe elliptischer Funktionenkörper, Abh. Math. Sem. Hansischen Univ. 14 (1941), 197–272.10.1007/BF02940746Search in Google Scholar

[17] Yevgeniy Dodis and Aleksandr Yampolskiy, A Verifiable Random Function with Short Proofs and Keys, in: PKC 2005 (Serge Vaudenay, ed.), LNCS 3386, pp. 416–431, Springer, Heidelberg, January 2005.10.1007/978-3-540-30580-4_28Search in Google Scholar

[18] W. Duke and Á. Tóth, The splitting of primes in division fields of elliptic curves, Experiment. Math. 11 (2002), 555–565 (2003).10.1080/10586458.2002.10504706Search in Google Scholar

[19] Kirsten Eisenträger, Sean Hallgren, Kristin E. Lauter, Travis Morrison and Christophe Petit, Supersingular Isogeny Graphs and Endomorphism Rings: Reductions and Solutions, in: EUROCRYPT 2018, Part III (Jesper Buus Nielsen and Vincent Rijmen, eds.), LNCS 10822, pp. 329–368, Springer, Heidelberg, April / May 2018.10.1007/978-3-319-78372-7_11Search in Google Scholar

[20] Luca De Feo, David Jao and Jérôme Plût, Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies, J. Mathematical Cryptology8 (2014), 209–247.10.1515/jmc-2012-0015Search in Google Scholar

[21] Luca De Feo, Jean Kieffer and Benjamin Smith, Towards practical key exchange from ordinary isogeny graphs, Cryptology ePrint Archive, Report 2018/485, 2018, in Google Scholar

[22] Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz and Kenneth G. Paterson, Non-Interactive Key Exchange, in: PKC 2013 (Kaoru Kurosawa and Goichiro Hanaoka, eds.), LNCS 7778, pp. 254–271, Springer, Heidelberg, February / March 2013.10.1007/978-3-642-36362-7_17Search in Google Scholar

[23] Georg Fuchsbauer, Constrained Verifiable Random Functions, in: SCN 14 (Michel Abdalla and Roberto De Prisco, eds.), LNCS 8642, pp. 95–114, Springer, Heidelberg, September 2014.10.1007/978-3-319-10879-7_7Search in Google Scholar

[24] Steven D. Galbraith, Authenticated key exchange for SIDH, Cryptology ePrint Archive, Report 2018/266, 2018, in Google Scholar

[25] Sanjam Garg, Craig Gentry and Shai Halevi, Candidate Multilinear Maps from Ideal Lattices, in: EUROCRYPT 2013 (Thomas Johansson and Phong Q. Nguyen, eds.), LNCS 7881, pp. 1–17, Springer, Heidelberg, May 2013.10.1007/978-3-642-38348-9_1Search in Google Scholar

[26] Sanjam Garg, Craig Gentry, Shai Halevi, Mariana Raykova, Amit Sahai and Brent Waters, Candidate Indistinguishability Obfuscation and Functional Encryption for all Circuits, in: 54th FOCS, pp. 40–49, IEEE Computer Society Press, October 2013.10.1109/FOCS.2013.13Search in Google Scholar

[27] Sanjam Garg, Craig Gentry, Amit Sahai and Brent Waters, Witness encryption and its applications, in: 45th ACM STOC (Dan Boneh, Tim Roughgarden and Joan Feigenbaum, eds.), pp. 467–476, ACM Press, June 2013.10.1145/2488608.2488667Search in Google Scholar

[28] Shafi Goldwasser, Yael Tauman Kalai, Raluca A. Popa, Vinod Vaikuntanathan and Nickolai Zeldovich, How to Run Turing Machines on Encrypted Data, in: CRYPTO 2013, Part II (Ran Canetti and Juan A. Garay, eds.), LNCS 8043, pp. 536–553, Springer, Heidelberg, August 2013.10.1007/978-3-642-40084-1_30Search in Google Scholar

[29] Tsuyoshi Hayashida, A class number associated with a product of two elliptic curves, Natur. Sci. Rep. Ochanomizu Univ. 16 (1965), 9–19.Search in Google Scholar

[30] Tsuyoshi Hayashida and Mieo Nishi, Existence of curves of genus two on a product of two elliptic curves, J. Math. Soc. Japan17 (1965), 1–16.10.2969/jmsj/01710001Search in Google Scholar

[31] Jun-ichi Igusa, Arithmetic variety of moduli for genus two, Ann. of Math. (2)72 (1960), 612–649.10.2307/1970233Search in Google Scholar

[32] Antoine Joux, A One Round Protocol for Tripartite Diffie-Hellman, Journal of Cryptology17 (2004), 263–276.10.1007/10722028_23Search in Google Scholar

[33] Aggelos Kiayias, Stavros Papadopoulos, Nikos Triandopoulos and Thomas Zacharias, Delegatable pseudorandom functions and applications, in: ACM CCS 13 (Ahmad-Reza Sadeghi, Virgil D. Gligor and Moti Yung, eds.), pp. 669–684, ACM Press, November 2013.10.1145/2508859.2516668Search in Google Scholar

[34] Herbert Lange, Principal polarizations on products of elliptic curves, The geometry of Riemann surfaces and abelian varieties, Contemp. Math. 397, Amer. Math. Soc., Providence, RI, 2006, pp. 153–162.10.1090/conm/397/07470Search in Google Scholar

[35] Anna Lysyanskaya, Unique Signatures and Verifiable Random Functions from the DH-DDH Separation, in: CRYPTO 2002 (Moti Yung, ed.), LNCS 2442, pp. 597–612, Springer, Heidelberg, August 2002.10.1007/3-540-45708-9_38Search in Google Scholar

[36] Silvio Micali, Michael O. Rabin and Salil P. Vadhan, Verifiable Random Functions, in: 40th FOCS, pp. 120–130, IEEE Computer Society Press, October 1999.Search in Google Scholar

[37] Vanishree Rao, Adaptive Multiparty Non-interactive Key Exchange Without Setup In The Standard Model, Cryptology ePrint Archive, Report 2014/910, 2014, in Google Scholar

[38] Alexander Rostovtsev and Anton Stolbunov, Public-Key Cryptosystem Based On Isogenies, Cryptology ePrint Archive, Report 2006/145, 2006, in Google Scholar

[39] Tetsuji Shioda, Supersingular K3 surfaces, in: Algebraic Geometry (Knud LØnsted, ed.), Lecture Notes in Mathematics 732, pp. 564–591, Springer, 1978.10.1007/BFb0066664Search in Google Scholar

[40] Joseph H. Silverman, Advanced topics in the arithmetic of elliptic curves, Graduate Texts in Mathematics 151, Springer-Verlag, New York, 1994.10.1007/978-1-4612-0851-8Search in Google Scholar

[41] Jiangwei Xue, Tse-Chung Yang and Chia-Fu Yu, On superspecial abelian surfaces over finite fields, Documenta Mathematica21 (2016), 1607–1643.Search in Google Scholar

[42] Mark Zhandry, How to Avoid Obfuscation Using Witness PRFs, in: TCC 2016-A, Part II (Eyal Kushilevitz and Tal Malkin, eds.), LNCS 9563, pp. 421–448, Springer, Heidelberg, January 2016.10.1007/978-3-662-49099-0_16Search in Google Scholar

Received: 2020-02-04
Accepted: 2020-02-05
Published Online: 2020-06-14

© 2020 D. Boneh et al., published by De Gruyter

This work is licensed under the Creative Commons Attribution 4.0 International License.

Downloaded on 9.12.2023 from
Scroll to top button