Orienting supersingular isogeny graphs

We introduce a category of $\mathcal{O}$-orientedsupersingularellipticcurves and derive properties of the associated oriented and nonoriented $\ell$-isogeny supersingular isogeny graphs. As an application we introduce an oriented super-singular isogeny Diffie-Hellman protocol (OSIDH), analogous to the supersingular isogeny Diffie-Hellman (SIDH) protocol and generalizing the commutative supersingular isogeny Diffie-Hellman (CSIDH) protocol.


Introduction
In this paper we introduce a category of supersingular elliptic curves oriented by an imaginary quadratic order O, and derive properties of the associated oriented and non-oriented supersingular -isogeny graphs. This permits one to derive a faithful group action on a subset of oriented supersingular curves, equipped with a forgetful map to the set of non-oriented supersingular curves. As an application we introduce an oriented supersingular isogeny Diffie-Hellman protocol (OSIDH), analogous to the supersingular isogeny Diffie-Hellman (SIDH) of De Feo and Jao [18] and generalizing the commutative supersingular isogeny Diffie-Hellman (CSIDH) of Castryck, Lange, Martindale, Panny and Renes [5], the latter based on the idea of group actions on sets by Couveignes [9] and Rostovtsev-Stolbunov [25]. Renewed interest in these isogeny-based protocols is motivated by their presumed resistance to quantum attacks, and this work both enlarges the class of isogeny-based protocols and provides a framework for their security analysis.
We study some theoretical and practical aspects of the endomorphism ring of a supersingular elliptic curve and their connection with isogeny graphs. The central idea is to use an embedding of a quadratic imaginary order into the endomorphism ring of a supersingular elliptic curve, a maximal order in a quaternion algebra, to introduce an orientation on the curve. This extra piece of information permits one to impose compatible actions of the class groups of the suborders of this quadratic order on the descending isogeny chains and therefore on the isogeny volcano of oriented curves.
We observe that the starting vertex of the chain can be chosen to have a special orientation (by an order of class number one) and that computations can be performed using modular polynomials. This motivates us to introduce a Diffie-Hellman key exchange protocol that avoids limitations imposed by earlier constructions.
The idea of SIDH is to fix a large prime number p of the form p = e A A e B B f ± 1 for a small cofactor f and to let the two parties Alice and Bob take random walks (i.e., isogenies chains) of length e A (or e B ) in the A -isogeny graph (or the Bisogeny graph, respectively) on the set of supersingular j-invariants defined over F p 2 . In order to have the two key spaces of similar size e A A ≈ e B B , we need to take e A A ≈ e B B ≈ √ p. Since the total number of supersingular j-invariants is around p/12, this implies that, for each party, the space of choices for the secret key is limited to 1/ √ p of the whole set of supersingular j-invariants over F p 2 . In other words, in choosing their secrets, Alice and Bob can go only "halfway" around the graph from the starting vertex j 0 . Recently, Castryck, Lange, Martindale, Panny and Renes proposed another key exchange protocol based on supersingular isogeny graphs over the prime field F p . We fix a prime of the form p = 4 1 · . . . · t − 1 and an elliptic curve E/F p defined by the equation E : y 2 = x 3 + ax 2 + x. The peculiarity of CSIDH is that it works with curves defined over F p and restricts the endomorphism rings of such curves to the commutative subring consisting of F p -rational endomorphisms. Starting from this setup, the scheme is an adaptation of the Couveignes and Rostovtsev-Stolbunov idea. Observe that the choice of looking at curves defined over F p , instead of F p 2 , limits the key spaces for Alice and Bob to #C (Z[ √ −p]) supersingular points. For a given p, this is the same order of magnitude, O( √ p log(p)), as for SIDH, but the class group is transitive on this subset. In this paper we want to describe a new cryptographic protocol, the OSIDH, defined over an arbitrarily large subset of oriented supersingular elliptic curves over F p 2 , which combines features of SIDH and CSIDH, and permits one to cover an arbitrary proportion of all isomorphism classes of supersingular elliptic curves.
A feature shared by SIDH and CSIDH is that the isogenies are constructed as quotients of rational torsion subgroups: the secret path of length e A in the Aisogeny graph corresponds to a secret cyclic subgroup A ⊆ E [ e A ] where A is a rational e A A -torsion point on E. The need for rational points imposes limits on the choice of the prime p and, thus, of the finite field we work on. In contrast OSIDH relies on constructions that can be carried out only with the use of modular polynomials hence avoiding conditions on the rational torsion subgroup.
In summary, an orientation provides a class group action on lifts of an arbitrarily large subset of supersingular points. Exploiting an effective subring O of the full endomorphism ring we obtain an effective action by the class group of this subring on the isogeny volcano (whirlpool). This approach generalizes the class group action of CSIDH where supersingular elliptic curves are oriented by the commutative subring Z [π] generated by Frobenius π = √ −p. To avoid subexponential (or polynomial) time reductions, in the OSIDH protocol, as detailed in Section 5, the orientation and associated class group action is hidden in the intermediate data exchanged by Alice and Bob. This gives a protocol for which the best known attacks at present are fully exponential.

Orientations, isogeny chains, and ladders
In this section, we recall the definition of an isogeny graph and introduce the notion of orienting supersingular elliptic curves and their isogenies by an imaginary quadratic field K and its orders O. Finally, we describe how to impose a structure on an isogeny graph by means of isogeny chains and how to carry out an effective class group action, by means of ladders.
Isogeny graphs. Given an elliptic curve E over a field k, and a finite set of primes S, we can associate an isogeny graph Γ = Γ S (E), whose vertices are elliptic curves k-isogenous to E, with fixed vertex E, and whose directed edges are isogenies of degree ∈ S. The vertices are defined up tok-isomorphism, and the edges from a given vertex are defined up to ak-isomorphism of the codomain. If S = { }, then we call Γ an -isogeny graph, which we write as Γ (E).
An -isogeny graph Γ is equiped with an action of G = Gal(k/k), with the vertex [E] a fixed point, as follows. We have The set of cyclic subgroups is in bijection with P(E[ ]) ∼ = P 1 (Z/ Z), which in turn is in bijection with the set of -isogenies from E. The G-action on E[ ] induces an action by G on the + 1 cyclic subgroups. This action extends to paths without backtracking of length n, via the action on the cyclic subgroups G of order n in which are in bijection with P(E[ n ]) ∼ = P 1 (Z/ n Z). This determines a compatible Galois action on vertices [E/G] and edges ϕ : is of index . The action on infinite paths from E is thus determined by the Galois action on the projective Tate module P(T (E)) ∼ = P 1 (Z ). In the same way we define the G-action on Γ S (E) derived from the G-set structure of P(T S (E)), where The choice of base curve E determines a Galois action on Γ, conjugate to the Galois action induced by a twist of E.
Thus an -isogeny graph is ( + 1)-regular for outgoing edges. The existence of curves of j-invariant 0 or 12 3 with additional automorphisms in the graph implies a reduced number of incoming edges at these vertices. We define an undirected graph Γ (E) by identifying an isogeny ϕ : E 0 → E 1 with its dualφ : E 1 → E 0 , and if Aut(E 0 ) = {±1} or Aut(E 1 ) = {±1} the orbits Aut(E 1 )ϕAut(E 0 ) and Aut(E 0 )φAut(E 1 ) are identified, which gives a non-bijective correspondence between edges and dual edges. Lemma 1. Let E be an elliptic curve over k with endomorphism ring O, and for a prime = char(k) let Γ (E) be its undirected -isogeny graph.
(1) If O = Z, then each component of Γ (E) is an infinite tree.
(2) If O is an order in a CM field K, then each component Γ of Γ (E) is infinite and either • the prime is split in K and Γ has a unique cycle, or • the prime is ramified or inert in K and Γ is a tree. If E is defined over a number field, then case (1) is the generic case and in the CM case (2), every curve admits an embedding of an order of K in its endomorphism ring, and the Galois action is determined by CM theory (see Shimura [27]). If E is defined over a finite field, then only case (2) (ordinary) or case (3) (supersingular) can hold. The ordinary case gives rise to an -isogeny graph in bijection with the CM graph with CM field K = Q(π), where π is the Frobenius endomorphism. In the supersingular case we have more precisely that there are (p − 1) 12 In the next section we introduce the notion of a K-orientation by an imaginary quadratic field K, which allows us to canonically lift the finite supersingular graph to an infinite oriented CM graph.
Orientations. Suppose now that E is a supersingular elliptic curve over a finite field k of characteristic p, and denote by End(E) the full endomorphism ring. We assume moreover that k contains F p 2 and E is in an isogeny class such that End k (E) = End(E). We denote by End 0 (E) the Q-algebra End(E) ⊗ Z Q. In particular, End 0 (E) is the unique quaternion algebra over Q ramified at p and ∞.
Let K be a quadratic imaginary field of discriminant ∆ K with maximal order O K . Then there exists an embedding ι : K → End 0 (E) if and only if p is inert or ramified in O K , and there exists an order O ⊆ O K such that ι(O) = ι(K)∩End(E).

Definition 2.
A K-orientation on a supersingular elliptic curve E/k is a homomorphism ι : K → End 0 (E). An O-orientation on E is a K-orientation such that the image of the restriction of ι to O is contained in End(E). We write End((E, ι)) for the order End(E) ∩ ι(K) in ι(K). An O-orientation is primitive if ι induces an isomorphism of O with End((E, ι)).
Conversely, given K-oriented elliptic curves (E, ι E ) and (F, ι F ) we say that an if the orientation on F is induced by φ. The restriction to K-oriented isogenies determines a category of Koriented elliptic curves, hence of K-oriented isomorphism classes, and a subcategory of O-oriented elliptic curves. If E admits a primitive O-orientation by an order O in K, φ : E → F is an isogeny then F admits an induced primitive O -orientation for an order O satisfying We say that an isogeny φ : If is prime, as direct analogue of Proposition 4.2.23 of [19], one of the following holds: • O = O and we say that φ is horizontal, • O ⊂ O with index and we say that φ is ascending, • O ⊂ O with index and we say that φ is descending. Moreover if the discriminant of O is ∆, then there are exactly − ∆ descending isogenies. If O is maximal at , then there are ∆ +1 horizontal isogenies, and if O is non-maximal at , then there is exactly one ascending -isogeny and no horizontal isogenies.
For an oriented class (E, ι) with endomorphism ring O = End((E, ι)), we define (E, ι) to be at the surface (or depth 0) if O is -maximal, and to be at depth n if the valuation at of [O K : O] is n. In the next section we introduce -isogeny chains linking oriented curves at the surface to oriented curves at depth n.
The oriented graph Γ S (E, ι) is the graph whose vertices are K-oriented isomorphism classes, with fixed base vertex (E, ι), and whose edges are K-oriented -isogenies for in S.
Isogeny chains and ladders. Let E 0 /k be a fixed supersingular elliptic curve, equipped with an O-orientation, and let = p be a prime.
Definition 3. We define an -isogeny chain of length n from E 0 to E to be a sequence of isogenies of degree : We say that the -isogeny chain is without backtracking if ker(φ i+1 • φ i ) = E i [ ] for each i = 0, . . . , n − 1, and say that the isogeny chain is descending (or ascending, or horizontal) if each φ i is descending (or ascending, or horizontal, respectively).
Remark. Since the dual isogeny of φ i , up to isomorphism, is the only isogeny φ i+1 an isogeny chain is without backtracking if and only if the composition of two consecutive isogenies is cyclic. Moreover, we can extend this characterization in terms of cyclicity to the entire -isogeny chain. Remark. If an isogeny φ is descending, then the unique ascending isogeny from φ(E), up to isomorphism, is the dual isogenyφ, satisfyingφφ = [ ]. As an immediate consequence, a descending -isogeny chain is automatically without backtracking, and an -isogeny chain without backtracking is descending if and only if φ 0 is descending.
In particular, if (E i , φ i ) is a descending -chain, then ι i induces an isomorphism Let q be a prime different from p and that splits in O K , let q be a fixed prime over q. For each i we set q (i) = ι i (q) ∩ O i , and define We define F i = E i /C i , and let ψ i : E i → F i , an isogeny of degree q. By construction, it follows that φ i (C i ) = C i+1 for all i = 0, . . . , n − 1. In particular, if (E i , φ i ) is a descending -ladder, then ι i induces an isomorphism The isogeny ψ 0 : E 0 → F 0 = E/C 0 gives the following diagram of isogenies: and for each i = 0, . . . , n − 1 there exists a unique φ i : F i → F i+1 with kernel ψ i (ker(φ i )) such that the following diagram commutes: . This construction motivates the following definition.
Definition 5. An -ladder of length n and degree q is a commutative diagram of - We also refer to an -ladder of degree q as a q-isogeny of -isogeny chains, which we express as ψ : We say that an -ladder is ascending (or descending, or horizontal) if theisogeny chain (E i , φ i ) is ascending (or descending, or horizontal, respectively). We say that the -ladder is level if ψ 0 is a horizontal q-isogeny. If the -ladder is descending (or ascending), then we refer to the length of the ladder as its depth (or, respectively, as its height).
In particular, if the -ladder is level, then (E i , φ i ) is descending (or ascending, or horizontal) if and only if (F i , φ i ) is descending (or ascending, or horizontal).
Remark. In the sequel we will assume that E 0 is oriented by a maximal order O K . In Section 3 we investigate using the effective horizontal isogenies of E 0 to derive an effective class group action, and introduce a modular version of this action in Section 4. Walking down a descending isogeny chain, each elliptic curve will be oriented by an order of decreasing size and the final elliptic curve, which will be our final object of study, will have an orientation by an order of large index in O K with action by a large class group.
Since the supersingular -isogeny graph is connected, every supersingular elliptic curve admits an -isogeny chain back to a curve oriented by any given maximal order O K , so such a construction exists for any supersingular elliptic curve.

Oriented curves and class group action
Let SS(p) denote the set of supersingular elliptic curves over F p up to isomorphism, and let SS O (p) be the set of O-oriented supersingular elliptic curves up to K-isomorphism over F p , and denote the subset of primitive O-oriented curves by SS pr O (p). Class group action. The set SS O (p) admits a transitive group action: where a is any representative ideal coprime to the index is horizontal. When restricted to primitive O-oriented curves, we obtain the following classical result, extending the standard result for CM elliptic curves.
Theorem 7. The class group C (O) acts faithfully and transitively on the set of O-isomorphism classes of primitive O-oriented elliptic curves.
In particular, for fixed primitive O-oriented E, we hence obtain a bijection of sets: [a] · E For any ideal class [a] and generating set {q 1 , . . . , q r } of small primes, coprime to , in order to compute the action via a sequence of low-degree isogenies.
For an ordinary -isogeny isogeny graph Γ (E), the points defined over F p n are determined by the condition Z[π n ] ⊆ End(E). Since the class numbers of orders O in K are unbounded, the previous theorem implies that the oriented supersingular graphs are infinite. While all supersingular curves and isogenies can be defined over F p 2 , we can use the inclusion of an order O ⊂ End(E) to restrict to a finite subgraph.
is an infinite graph which is the union of the finite subgraphs whose vertices are restricted to SS O (p) for an order O in K.
The subrings O n = Z + n O are a linearly ordered family which serve to bound the depth of K-oriented curves relative to a curve at the surface with orientation by an -maximal order O.
On vortices and whirlpools. Instead of considering the union of different isogeny graphs as in Couveignes [9] and Rostovtsev-Stolbunov [25], we focus on a fixed prime and we think of the other primes as acting on the -isogeny graph. The resulting object is the union of -isogeny volcanoes mixing under the action of C (O). This action stabilizes the subgraph at the surface (the craters) and preserves descending paths. This view is consistent with the construction of orientations by -isogeny chains (paths in the -isogeny graph) anchored at the surface, with action of the class group determined by ladders.

Definition 9.
A vortex is defined to be an -isogeny subgraph whose vertices are isomorphism classes of O-oriented elliptic curves with -maximal endomorphism ring, equipped with the action of C (O). A whirlpool is defined to be a completeisogeny graph of K-oriented elliptic curves whose subgraphs of O n -oriented classes are acted on by C (O n ).
The underlying graph of a whirlpool is composed of multiple connected components, with the class group acting transitively on components with the same -maximal order of its vortex. The existence of multiple components of -volcanoes is studied in [21] and [15], where the set of -volcanoes is called an -cordillera. A general whirlpool can be depicted as in Figure 3, as an -cordillera (black lines) acted on by the class group, as represented by colored arrows.      The forgetful map to unoriented isogeny graphs. In this section we address the extent of non-injectivity of the forgetful map from oriented curves in the infinite oriented supersingular -isogeny graphs to the finite supersingular graph. By Theorem 7, we have a bijection (isomorphism of sets with C (O)-action): determined by a descending -isogeny chain, the class numbers satisfy the geometric Oi+1 (p). Consequently we have an unbounded chain of sets

to the isomorphism class [E] determined by the j-invariant j(E).
This motivates the questions of when the map SS Oi (p) → SS(p) and its restriction to SS pr Oi (p) are injective, and when these maps are surjective. We adopt the notation H(p) for the cardinality |SS(p)| of supersingular curves, denote by X i the image of SS Oi (p) in SS(p) and write Y i for the image of SS pr Oi (p). Moreover we write λ i = log p (|∆ i |) where ∆ i = 2i ∆ K = disc(O i ). With this notation Figure 6 and Figure 7 give tables of values for |Y i |, |X i |, and λ i , for primes of 10 and 12 bits respectively, depicting the boundary line for injectivity at λ i = 1 and the critical line for surjectivity at λ i = 2. We conclude this section with a general proposition, which follows from the following algebraic lemma, in order to justify the injectivity bound.
Proof. The equality Tr(ω) = 0 follows from the relation Tr(α 1 α 2 ) = Tr(α 2 α 1 ) and linearity of the reduced trace. The expression for the reduced norm Nr(ω) is an elementary calculation. The congruence Nr(ω) = 0 mod p holds since the unique maximal ideal P over p in the quaternion order is the subset of elements α with Nr(α) ≡ 0 mod p, and the quotient by P is isomorphic to the (commutative) finite field F p 2 . Hence α 1 α 2 ≡ α 2 α 1 mod P which implies ω mod P = 0, from which Nr(ω) ≡ 0 mod p holds.

Modular isogenies
In this section we consider the way in which we effectively represent and compute isogenies. With the view to oriented isogenies, we focus on horizontal isogenies with kernel E[q], where E is a primitive O-oriented elliptic curve and q a prime ideal of ι(O   In the Couveignes [9] or the Rostovtsev-Stolbunov [25] constructions, or in the CSIDH protocol [5], one works with the ring O = Z[π]. The disadvantage is that for large finite fields, the class group of O is large and the primes q in O have no small degree elements. For large p and small q, the smallest degree element of a prime q of norm q is the endomorphism [q], of degree q 2 . The division polynomial ψ q (x), which cuts out the torsion group E[q], is of degree (q 2 − 1)/2. Consequently factoring ψ q (x) to find the kernel polynomial (see Kohel [19,Chapter 2]) of degree (q − 1)/2 for E[q] is relatively expensive. As a result, in the SIDH protocol [18], the ordinary protocol of De Feo, Smith, and Kieffer [11], or the CSIDH protocol [5], the curves are chosen such that the points of E[q] are defined over a small degree extension κ/k, particularly [κ/k] ∈ {1, 2}, and working with rational points in E(κ).
In the OSIDH protocol outlined below, we propose the use of an effective CM order O K of class number 1. In particular every prime q of norm q is generated by an endomorphism of the minimal degree q. For example we may take O K to be the Eisenstein or Gaussian integers of discriminant −3 or −4, generated by an automorphism. The kernel polynomial of degree (q −1)/2 can be computed directly without need for a splitting field for E[q], and the computation of a generator isogeny is a one-time precomputation. Using an analog of the construction of division polynomials, the computation of the kernel polynomial requires O(q) field operations.
Push forward isogenies. The extension of an isogeny (or, as we will see in the next section, of an endomorphism) of E 0 to an -isogeny chain (E i , φ i ) reduces to the construction of a ladder. At each step we are given φ i : E i → E i+1 and ψ i : E i → F i of coprime degrees, and need to compute Rather than working with elliptic curves and isogenies, we construct the oriented graphs directly as points on a modular curve linked by modular correspondences defined by modular polynomials.
Modular curves and isogenies. The use of modular curves for efficient computation of isogenies has an established history (see Elkies [14]). For this purpose we represent isogeny chains and ladders as finite sequences of points on the modular curve X = X(1) preserving the relations given by a modular equation.
We recall that the modular curve X(1) ∼ = P 1 classifies elliptic curves up to isomorphism, and the function j generates its function field. The family of elliptic curves covers all isomorphism classes j = 0, 12 3 or ∞, such that the fiber over j 0 ∈ k is an elliptic curve of j-invariant j 0 . The curves y 2 + y = x 3 and y 2 = x 3 + x deal with the cases j = 0 and j = 1728.
The modular polynomial Φ m (X, Y ) defines a correspondence in X(1) × X(1) such that Φ m (j(E), j(E )) = 0 if and only if there exists a cyclic m-isogeny φ from E to E , possibly over some extension field. The curve in X(1) × X(1) cut out by Φ m (X, Y ) = 0 is a singular image of the modular curve X 0 (m) parametrizing such pairs (E, φ).
Remark. The modular curve X(1) can be replaced by any genus 0 modular curve X parametrizing elliptic curves with level structure. Lifting the modular polynomials back to X of higher level (but still genus 0) has an advantage of reducing the coefficient size of the corresponding modular polynomials Φ m (X, Y ).
In the case of CSIDH, the authors use X = X 0 (4), with a modular function a ∈ k(X 0 (4)) to parametrize the family of curves E : y 2 = x(x 2 + ax + 1), together with a cyclic subgroup C ⊂ E of order 4, whose generators are cut out by x = 1. The map X → X(1) is given by The approach via modular isogenies of this section can be adapted as well to the CSIDH protocol.

Definition 14.
A modular -isogeny chain of length n over k is a finite sequence (j 0 , j 1 , . . . , j n ) in k such that Φ (j i , j i+1 ) = 0 for 0 ≤ i < n. A modular -ladder of length n and degree q over k is a pair of modular -isogeny chains (j 0 , j 1 , . . . , j n ) and (j 0 , j 1 , . . . , j n ), Clearly an -isogeny chain (E i , φ i ) determines the modular -isogeny chain (j i = j(E i )), but the converse is equally true.
Proposition 15. If (j 0 , . . . , j n ) is a modular -isogeny chain over k, and E 0 /k is an elliptic curve with j(E 0 ) = j 0 , then there exists an -isogeny chain Given any modular -isogeny chain (j i ), elliptic curve E 0 with j(E 0 ) = j 0 , and isogeny ψ 0 : E 0 → F 0 , it follows that we can construct an -ladder ψ : (E i , φ i ) → (F i , φ i ) and hence a modular -isogeny ladder. In fact the -ladder can be efficiently constructed recursively from the modular -isogeny chain (j 0 , . . . , j n ) and (j 0 , . . . , j n ), by solving the system of equations Remark. The modular polynomial Φ q (X, Y ) is degree q + 1 in X and Y . The evaluation at X = j ∈ F p 2 requires O(q 2 ) field multiplications. The subsequent gcd requires O( q) operations, and these operations are repeated to depth n.

OSIDH
We consider an elliptic curve E 0 /k (k = F p 2 ) with an O K -orientation by an effective ring O K of class number 1, e.g. j = 0 or j = 12 3 (for which O K = Z[ζ 3 ] or Z[i]), small prime , and a descending -isogeny chain from E 0 to E = E n . The O K -orientation on E 0 and -isogeny chain induces isomorphisms and we set O = O n . By hypothesis on E 0 /k (the class number of O K is 1), any horizontal isogeny ψ 0 : E 0 → F 0 is, up to isomorphism F 0 ∼ = E 0 , an endomorphism.
For a small prime q, we push forward a q-endomorphism φ 0 ∈ End(E 0 ), to a q-isogeny ψ : and pushing forward to ψ n : E n → F n , we obtain the effective action of C (O) on -isogeny chains of length n from E 0 . In other words, the action of an ideal q becomes non trivial while pushing it down along a descending isogeny chain due to the fact that q ∩ O i becomes "less and less principal".
In order to have the action of C (O) cover a large portion of the supersingular elliptic curves, we require n ∼ p, i.e., n ∼ log (p).
Recall. The previous estimates are based on two very important results. Observe that the number of oriented elliptic curves that we can reach after n steps equals the class number h(O n ) of O n = Z + n O K . It is well-known [10, §7.D] that: On the other hand, we know that the number of supersingular elliptic curves over F p 2 is given by the following formula [28, V.4]: Therefore, in our case To realise the class group action, it suffices to replace the above -ladder with its modular -ladder.
we can solve iteratively for j i+1 from j i and j i+1 using the equations: The action of primes q through C (O) can be precomputed by its action on these initial segments which permits us to separate the action of q andq, hence assures a unique solution to the above system.
Thus, E i = E i if and only if q 2 ∩ O i is not principal and the probability that a random ideal in O i is principal is 1/h(O i ). In fact, we can do better; we write O K = Z[ω] and we observe that if q 2 was principal, then since it would be generated by an element of Thus, as soon as 2i > q 2 we are guaranteed that q 2 is not principal.

5.1.
A first naive protocol. We now present the OSIDH cryptographic protocol based on this construction. We first describe a simplified version as intermediate step. The reason for doing that is twofold. On one hand it permits us to observe how the notions introduced so far lead to a cryptographic protocol, and on the other hand it highlights the critical security considerations and identifies the computationally hard problems on which the security is based.
As described at the beginning of the section, we fix a maximal order O K in a quadratic imaginary field K of small discriminant ∆ K and a large prime p such that ∆ K p = 1. Further, the two parties agree on an elliptic curve E 0 with effective maximal order O K embedded in the endomorphism ring and a descending -isogeny chain: Each constructs a power smooth horizontal endomorphism ψ of E 0 as the product of generators of small principal ideals in O K . A power smooth isogeny, for which the prime divisors and exponents of its degree are bounded, ensures that ψ can be efficiently extended to a ladder.
Remark. In practice, we will fix O K to be either the Eisenstein integers Z[ζ 3 ] or the Gaussian integers Z[ζ 4 ](= Z[i]). Since the ladder is descending, we have that Alice privately chooses a horizontal power smooth endomorphism ψ A = ψ 0 : E 0 → F 0 = E 0 , and pushes it forward to an -ladder of length n: The -isogeny chain (F i ) is sent to Bob, who chooses a horizontal smooth endomorphism ψ B , and sends the resulting -isogeny chain (G i ) to Alice. Each applies (and, eventually, push forward) the private endomorphism to obtain (H i ) = ψ B · (F i ) = ψ A · (G i ), and H = H n is the shared secret.
In the following picture the blue arrows correspond to the orientation chosen throughout by Alice while the red ones represent the choice made by Bob.
In the end, Alice and Bob share a new chain E 0 → H 1 → · · · → H n This naive protocol reveals too much information and is susceptible to attack by computing the endomorphism rings of the end curves End(E n ), End(F n ), and End(G n ). In general, the problem of computing an isogeny between two supersingular elliptic curves E and F knowing End(E) is broadly equivalent to the task of computing End(F ) [17,13]. Kohel's algorithm [19], and the refinement of Galbraith [16], compute several paths in the isogeny graph to find isogenies F → F . Thus, as noted in [17], computing End(F ) can be reduced to finding an endomor- Remark. Observe that in SIDH and CSIDH the endomorphism ring of the starting elliptic curve is known since the shared initial curve is chosen to have special form.
In OSIDH the situation changes: we need to find an isogeny starting from E n , and not the curve E 0 for which we have an explicit description of the endomorphism ring. However, knowing End(E 0 ), we can deduce at each step ) and thus we obtain the inclusion Z + n End(E 0 ) → End(E n ).
Notice that, in general, knowing the existence of a copy of an imaginary quadratic order inside the maximal order of a quaternion algebra does not guarantee the knowledge of the embedding as there might be many [12,II.5]. In this case, from the knowledge of a subring Z + End(E i ) of finite index 3 we can reconstruct End(E i+1 ) step-by-step from the -isogeny chain E 0 → E 1 → . . . → E n , and hence compute End(E n ).
In the naive protocol we also share the full isogeny chain (F i ) (or their j-invariant sequence), which allows an adversary to deduce the oriented endomorphism ring Z + n O K → End(F n ) of the terminal elliptic curve F = F n . This gives enough information to deduce Hom(E, F ) and construct a representative smooth ideal in C (O) sending E to F .
We observe that there is another approach to this problem which uses only properties of the ideal class group. Suppose we have a K-descending -isogeny This induces a sequence at the level of class groups In particular, there exists a surjection whose kernel is easily described. First, the map ψ : where ξ 2 = 0 (see [10, §7.D] and [22, §12]). Thereafter, for each i > 1, the surjection C (O i+1 ) → C (O i ) has cyclic kernel of order by virtue of the class number formula (1), and hence we have a short exact sequence Thus if we have already constructed some representative for ψ A modulo i O K , we can lift it to find ψ A mod i+1 O K from possible preimages. For each candidate lift ψ A mod i+1 O K , we search for an smooth representative The candidate smooth lift can be applied to E i+1 and the correct lift is that which sends E i+1 to F i+1 in the -isogeny chain (see Figure 8). This yields an algorithm involving multiple instances of the discrete logarithm problem in a group of order as in Pohlig-Hellman algorithm [23] and in the generalization of Teske [29]. Figure 8. Construction of Alice's secret key In conclusion, this naïve protocol is insecure because two parties share the knowledge of the entire chains (F i ) and (G i ). The question becomes: how can we avoid sharing the -isogeny chains while still giving the other party enough information to carry out their isogeny walk? 5.2. The OSIDH protocol. We now detail how to send enough public data to compute the isogenies ψ A and ψ B on G = G n and F = F n , respectively, without revealing the -isogeny chains (F i ) and (G i ). The setup remains the same with a public choice of O K -oriented elliptic curve E 0 and -isogeny chain Moreover, a set of primes q 1 , . . . , q t (above q 1 , . . . , q t ) splitting in O K is fixed.
The first step consists of choosing the secret keys; these are represented by a sequence of integers (e 1 , . . . , e t ) such that |e i | ≤ r. The bound r is taken so that the number (2r + 1) t of curves that can be reached is sufficiently large. This choice of integers enables Alice to compute a new elliptic curve 1 · · · q et t by means of constructing the following commutative diagram Observe that this is just a union of q i -ladders.
At this point the idea is to exchange curves F n and G n and to apply the same process again starting from the elliptic curve received from the other party. Unfortunately, this is not enough to get to the same final elliptic curve. Once Alice receives the unoriented curve G n computed by Bob she also needs additional information for each prime q i :

Bob's curve Gn
Horizontal p i -isogeny with kernel Gn[q i ] Horizontal p i -isogeny with kernel Gn[q i ] but she has no information as to which directions -out of q i +1 total q i -isogeniesto take as q i andq i . For this reason, once that they have constructed their elliptic curves F n and G n , they precompute, for each prime q i , the q i -isogeny chains coming fromq j i (denoted by the class q −j i ) and q j i : Now Alice obtains from Bob the curve G n and, for each i, the horizontal q i -isogeny chains determined by the isogenies with kernels G n [q j i ]. With this information Alice can take e 1 steps in the q 1 -isogeny chain and push forward all the q i -isogeny chains for i > 1. Remark. We recall that pushing forward means constructing a ladder which transmits all the information about the commutative action of q ei i in the class group.
Alice repeats the process for all the q i 's every time pushing forward the isogenies for the primes with index strictly bigger than i. Finally, she obtains a new elliptic curve H n = E n E n q e1+d1 1 · · · q et+dt t Bob follows the same process with the public data received from Alice, in order to compute the same curve H n . Recall that, in the naive protocol, Alice and Bob compute the group action on the full -isogeny chains: In the refined OSIDH protocol, Alice and Bob share sufficient information to determine the curve H n without knowledge of the other party's -isogeny chain (G i ) and (F i ), nor the full -isogeny chain (H i ) from the base curve E 0 .

Compute shared data
Takes e i steps in q i -isogeny chain & push forward information for all j > i.
Takes d i steps in q i -isogeny chain & push forward information for all j > i. In the end, Alice and Bob share the same elliptic curve Remark. We can read this scheme using the terminology of section 3.
After the choice of the secret key, we observe a vortex: Alice (respectively Bob) acts on an isogeny crater (that in the case of O K = Z [ζ 3 ] or Z [i] consists of a single points) with the primes q e1 1 · . . . · q et t (respectively q d1 1 · . . . · q dt t ). This action is eventually transmitted along the -isogeny chain and we get a whirlpool. We can think of the isogeny volcano as rotating under the action of the secret keys and the initial -isogeny path transforming into the two secret isogeny chains.

Security considerations
In order to ensure security of the system, we have seen that the data giving the orientation must remain hidden. A second consideration is the proportion of curves attained by the action of the class group C (O), and by the private walks ψ A and ψ B of Alice and Bob in that class group. The size of the orbit of C (O) is controlled by the chain length n, and the number of curves attained by the private walks is further limited by the prime power data, up to exponent bounds, which we allow ourselves to transmit.
Chain length. Suppose that (E i ) is an isogeny chain of length n, from a supersingular elliptic curve E 0 oriented by O K of class number one, and consider Hom(E 0 , E n ) = φO K + ψO K .
As a quadratic module with respect to the degree map, its determinant is p 2 . If the length n is of sufficient length such that E n represents a general curve in SS(p), then a set of reduced basis elements φ and ψ satisfies   Figure 9. Graphic representation of OSIDH Now suppose that φ : E 0 → E n is the isogeny giving the -isogeny chain. If deg(φ) = n is less than √ p, then φO K is a submodule generated by short isogenies, and E n is special. We conclude that we must choose n to be at least log (p)/2 in order to avoid an attack which seeks to determine φO K as a distinguished submodule of low degree isogenies. We extend this argument to consider the logarithmic proportion λ of supersingular elliptic curves we can reach. In order to cover p λ supersingular curves, out of |SS(p)| = p/12 + ε p curves, deg(φ) must be such that O * K (Z/ n Z) * ≈ n = deg(φ) ≈ p λ . In particular, choosing λ = 1, we find that n = log (p) is the critical length for reaching all supersingular curves.
Assuming that E and F are generic relative to one another, a reduced basis satisfies deg(ψ i ) ≈ √ p, as above. Thus the private walk ψ A should satisfy log p (deg(ψ A )) ≥ 1 2 in order that Zψ A is not a distinguished submodule of Hom(E, F ). This critical distance is the maximal that can be attained by the SIDH protocol.
As above, another measure of the generality of ψ A is the number of curves that can be reached by different choices of the isogeny ψ A . For a fixed degree m, the number of curves which can be attained is For the SIDH protocol, on has n A A ≈ n B B ≈ √ p, and only √ p curves out of p/12 can be reached.
In the CSIDH or OSIDH protocols, the degree of the isogeny is not fixed. The total number of isogenies of any degree d up to m is Since |S m | ≈ m, to cover a subset of p λ classes, we need log p (deg(ψ A )) ≥ λ.
Private walk exponents. In practice, rather than bounding the degree, for efficient evaluation one fixes a subset of small split primes, and the space of exponent vectors is bounded. The instantiation CSIDH-512 (see [5]) uses a prime of 512 bits such that for each of 74 primes one has a choice of 11 exponents in [−5, 5]. This gives 256 bits of freedom which is of the order of magnitude to cover h(−p) ≈ √ p classes (up to logarithmic factors). In this instance the class number h(−p) was computed [2] and found to be 252 bits. For the general OSIDH construction, we choose exponent vectors (e 1 , . . . , e t ) in the space I 1 × · · · × I t ⊂ Z t , where I j = [−r j , r j ], defining ψ A with kernel ker(ψ A ) = E[q e1 1 · · · q et t ]. We thus express the map to SS(p) as the composite of the map of exponent vectors to the class group and the image of C (O): In order to avoid revealing any cycles, we want the former map to be effectively injective -either injective or computationally difficult to find a nontrivial element of the kernel in (I 1 × · · · × I t ) ∩ ker(Z t → C (O)).
In order to cover as many classes as possible, the latter should be nearly surjective.
Setting λ = 1, = 2 and log (p) = 256, the parameters t = 74 and r = 5 give critical values as in CSIDH-512, with group action mapping to the full set of supersingular points SS(p).

Conclusion
By imposing the data of an orientation by an imaginary quadratic ring O, we obtain an augmented category of supersingular curves on which the class group C (O) acts faithfully and transitively. This idea is already implicit in the CSIDH protocol, in which supersingular curves over F p are oriented by the Frobenius subring Z[π] ∼ = Z[ √ −p]. In contrast we consider an elliptic curve E 0 oriented by a CM order O K of class number one. To obtain a nontrivial group action, we consider descending -isogeny chains in the -volcano, on which the class group of an order O of large index n in O K acts. The map from an -isogeny chain to its terminal node forgets the structure of the orientation, giving rise to a generic curve in the supersingular isogeny graph. Within this general framework we define a new oriented supersingular isogeny Diffie-Hellman (OSIDH) protocol, which has fewer restrictions on the proportion of supersingular curves covered and on the torsion group structure of the underlying curves. Moreover, the group action can be carried out effectively solely on the sequences of modular points (such as j-invariants) on a modular curve, thereby avoiding expensive isogeny computations, and is further amenable to speedup by precomputations of endomorphisms on the base curve E 0 .