Higher-Degree Supersingular Group Actions

Higher-degree supersingular group actions Mathilde Chenu1,2 and Benjamin Smith2,1 1Laboratoire d’Informatique (LIX), CNRS, École polytechnique, Institut Polytechnique de Paris, Palaiseau, France 2Inria, Palaiseau, France

Abstract We investigate the isogeny graphs of supersingular elliptic curves over F푝2 equipped with a 푑-isogeny to their Galois conjugate. These curves are interesting because theyp are, in a sense, a generalization of curves deﬁned over F푝, and there is an action of the ideal class group of Q( −푑푝) on the isogeny graphs. We investigate constructive and destructive aspects of these graphs in isogeny-based cryptography, including generalizations of the CSIDH cryptosystem and the Delfs–Galbraith algorithm.

Keywords: Isogeny-based cryptography, Supersingular elliptic curves, Endomorphisms 2010 Mathematics Subject Classiﬁcation: 94A60, 11Y40

1 INTRODUCTION

Supersingular isogeny graphs of elliptic curves over F푝2 , with their rich number-theoretic and combinatorial properties, are at the heart of an increasing number of pre- and post-quantum cryptosystems. Identifying and exploiting special subgraphs of supersingular isogeny graphs is key to understanding their mathematical properties, and their cryptographic potential. Isogeny-based cryptosystems roughly fall into two families. On one hand, we have the cryptosystems that work in the full ℓ-isogeny graph for various ℓ, including the Charles–Goren–Lauter hash [13], SIDH [30, 23, 17], SIKE [31], OSIDH [16], SQISign [24], and many more. These systems take advantage of the fact that the supersingular ℓ-isogeny graph is a large regular graph with large diameter and excellent expansion and mixing properties (indeed, it is a Ramanujan graph). On the other hand, we have cryptosystems that work in the F푝-subgraph supported on vertices defined over F푝 (or with 푗-invariants in F푝), such as CSIDH [11], CSI-FiSh [7], and CSURF [10]. These cryptosystems, many of which represent optimizations and extensions of pioneering work with ordinary curves due to Stolbunov [43, 46] and Couveignes [18], take advantage of the fact that the F푝-endomorphism rings of these curves are an imaginary quadratic ring, and the ideal class group of this ring has a convenient and efficiently-computable commutative action on the F푝-subgraph. This group action allows us to define many simple and useful cryptosystems, but it also explains the structure of the F푝-subgraph, allowing us to use it as a cryptanalytic tool [21] and as a convenient point-of-reference when exploring structures in the full supersingular isogeny graph [1]. This paper investigates a family of generalizations of the F푝-subgraph, one for each squarefree integer 푑. The key is to recognise that a curve E/F푝2 has its 푗-invariant in F푝 precisely when E is isomorphic to the conjugate ( 푝) curve E /F푝2 defined by 푝-th powering the coefficients of E, and the edges of the F푝-subgraph correspond to isogenies that are compatible with these isomorphisms. In this paper, we relax the isomorphisms to 푑-isogenies, and consider the cryptographic consequences. We obtain a series of distinguished subgraphs of the supersingular isogeny graph, each equipped with a free and transitive action by an ideal class group. We define (푑, 휖)-structures—essentially, curves with a 푑-isogeny to their conjugate—and the isogenies between them in §2. While (푑, 휖)-structures are defined over F푝2 , in §3 we show that they have modular invariants in F푝, and give useful parameterizations for 푑 = 2 and 3. We narrow our focus to supersingular curves in §4, using the theory of orientations to set up the class group action on (푑, 휖)-structures. We give some illustrative examples of isogeny graphs of supersingular (푑, 휖)-structures in §5, before turning to cryptographic applications in §6. Isogeny graphs of (푑, 휖)-structures are a natural setting for variants of CSIDH (and closely related cryptosystems). We give arguments for the security of such cryptosystems in §6.1. We outline a non-interactive key exchange in §6.2, generalizing CSIDH (which is the special case 푑 = 1), and highlight some of the subtleties that appear when we move to 푑 > 1. Optimized implementation techniques are beyond the scope of this article. The isogeny graphs formed by (푑, 휖)-structures form interesting geographical features in the full supersingular isogeny graph. Charles, Goren, and Lauter investigated random walks that happen to hit (푑, ±1)-structures in the security analysis of their hash function [13, §7]; random walks into (ℓ, ±1)-structures are also key in the path-finding algorithm of [22]. Further heuristics in this direction appear in [1]. Here, we consider these vertices not in isolation, but within their own isogeny graphs; thus, we obtain a series of generalizations of the “spine” of [1], and a broad generalization of the Delfs–Galbraith isogeny-finding algorithm [21] in §6.4.

*Corresponding Author: [email protected] ; [email protected]

1 Notation and conventions. If E is an elliptic curve, then End(E) denotes its endomorphism ring and End0 (E) ( 푝) denotes End(E) ⊗ Q. Each elliptic curve E/F푝2 has a Galois-conjugate curve E , defined by 푝-th powering all of the coefficients in the defining equation of E. The curve and its conjugate are connected by inseparable ( 푝) ( 푝) “Frobenius” 푝-isogenies 휋 푝 : E → E and 휋 푝 : E → E, defined by 푝-th powering the coordinates (abusing ( 푝) ( 푝) notation, all inseparable 푝-isogenies will be denoted by 휋 푝). Observe that (E ) = E, and the composition of ( 푝) ( 푝) 휋 푝 : E → E and 휋 푝 : E → E is the 푝2-power Frobenius endomorphism 휋E of E. Conjugation also operates ′ ( 푝) ( 푝) ′( 푝) on isogenies: each isogeny 휙 : E → E defined over F푝2 has a Galois conjugate isogeny 휙 : E → E , defined by 푝-th powering all of the coefficients in a rational map defining 휙. We always have

( 푝) ( 푝) ( 푝) (휙 ) = 휙 and 휋 푝 ◦ 휙 = 휙 ◦ 휋 푝 , and conjugation thus gives an isomorphism of rings between End(E) and End(E ( 푝) ).

2 CURVES WITH A 푑-ISOGENY TO THEIR CONJUGATE Let 푝 > 3 be a prime, and 푑 a squarefree integer prime to 푝. Typically, 푝 is very large and 푑 is very small. ( 푝) We are interested in elliptic curves E/F푝2 equipped with a 푑-isogeny 휓 : E → E . Given any such 푑-isogeny 휓, we have two returning 푑-isogenies:

휓 ( 푝) : E ( 푝) → E and 휓b : E ( 푝) → E .

( 푝) Deﬁnition 1. Let E/F푝2 be an elliptic curve equipped with a 푑-isogeny 휓 : E → E to its conjugate. We say that (E, 휓) is a (푑, 휖)-structure if 휓b = 휖휓 ( 푝) with 휖 ∈ {1, −1} . Each (푑, 휖)-structure (E, 휓) has an associated endomorphism

휇 := 휋 푝 ◦ 휓 ∈ End(E) .

We say that (E, 휓) is ordinary resp. supersingular if E is ordinary resp. supersingular.1 Proposition 1. If (E, 휓) is a (푑, 휖)-structure and 휇 is its associated endomorphism, then

2 휇 = [휖푑]휋E .

If 휋E is the Frobenius endomorphism of E and 푡E is its trace, then there exists an integer 푟 such that [푟]휇 = [푝]+휖휋E in End(E), 푑푟2 = 2푝 + 휖푡E in Z, and the characteristic polynomial of 휇 is 푃휇 (푇) = 푇 2 − 푟푑푇 + 푑푝.

( 푝) 2 ( 푝) ( 푝) ( 푝) b Proof. We have 휓휋 푝 = 휋 푝휓 , so 휇 = 휋 푝휓휋 푝휓 = 휋 푝 (휋 푝휓 )휓 = 휋E (휓 휓). Now 휓 = 휖휓 (because ( 푝) (E, 휓) is a (푑, 휖)-structure), so 휓 휓 = [휖푑], and therefore 휇2 = [휖푑]휋E. For the rest: 휇 has degree 푑푝, so it satisﬁes a quadratic polynomial 푃휇 (푇) = 푇 2 − 푎푇 + 푑푝 for some integer 푎. The ﬁrst assertion then implies [푎]휇 = 휇2 + [푑푝] = [휖푑]휋E + [푑푝]. Squaring, we obtain

2 2 2 2 2 ([푎]휇) = [푑] (휋E + 푝 ) + 2[푑푝][휖푑]휋E = [푑] (푡E 휋E) + 2[푑푝][휖푑]휋E = [휖푑]휋E ([휖푑]푡E + 2푑푝) , so 푎2 = 휖푑푡E + 2푑푝, hence 푑 | 푎2. But 푑 is squarefree, so 푑 | 푎, and then 푟 = 푎/푑 satisﬁes the given conditions. □

Remark 1. In the situation of Proposition 1: if E is ordinary, then Z[휇] and Z[휋E] are orders in Q(휋E) of 2 2 2 2 2 2 2 discriminant 푑 푟 − 4푑푝 and 푡E − 4푝 = 푟 (푑 푟 − 4푑푝), respectively, so |푟| is the conductor of Z[휋E] in Z[휇]. (The supersingular case is treated in detail in §4.) Deﬁnition 2. Let (E, 휓) and (E′, 휓′) be (푑, 휖)-structures. We say an isogeny (resp. isomorphism) 휙 : E → E′ is an isogeny (resp. isomorphism) of (푑, 휖)-structures if 휓′휙 = 휙( 푝) 휓, that is, if the following diagram commutes:

휓 E E ( 푝)

휙 휙( 푝)

휓′ E′ (E′) ( 푝)

1We focus on curves deﬁned over F푝2 because our applications involve supersingular curves, and every supersingular curve is isomorphic to a curve over F푝2 . One might consider isogenies to conjugates over higher-degree extensions, but then in general we do not have the relation 휓b = ±휓( 푝) , which is fundamental to our results.

2 It is easily veriﬁed that isogenies of (푑, 휖)-structures follow the usual rules obeyed by isogenies: the composition of two isogenies of (푑, 휖)-structures is an isogeny of (푑, 휖)-structures, the dual of an isogeny of (푑, 휖)-structures is an isogeny of (푑, 휖)-structures, and every (푑, 휖)-structure has an isogeny to itself (the identity map, for example). Isogeny therefore forms an equivalence relation on (푑, 휖)-structures. If (E, 휓) is a (푑, 휖)-structure with associated endomorphism 휇, then ( 푝) −(E, 휓) := (E, −휓) and (E, 휓) := (E ( 푝) , 휓 ( 푝) ) are (푑, 휖)-structures with associated endomorphisms −휇 and 휇( 푝) , respectively. If 휙 : (E, 휓) → (E′, 휓′) is an ( 푝) ( 푝) isogeny of (푑, 휖)-structures, then 휙 : −(E, 휓) → −(E′, 휓′) and 휙( 푝) : (E, 휓) → (E′, 휓′) are also isogenies of (푑, 휖)-structures. We thus have two involutions, negation and conjugation, on the category of (푑, 휖)-structures and their isogenies. ( 푝) ( 푝) Remark 2. The isogenies 휓 and 휋 푝 : E → E are both in fact isogenies of (푑, 휖)-structures (E, 휓) → (E, 휓) .

Twisting. Let 훼 be an element of F푝 \{0}. For each elliptic curve E : 푦2 = 푥3 + 푎푥 + 푏, there is a curve

훼 2 2 3 4 6 E /F푝2 (훼 ) : 푦 = 푥 + 훼 푎푥 + 훼 푏

훼 2 3 F 2 (훼) 휏훼 E → E (푥, 푦) ↦→ (훼 푥, 훼 푦) 휏훼 and an 푝 -isomorphism : deﬁned by . Abusing notation, we write√ for 훿 this map on every elliptic curve; with this convention, 휏훽 ◦ 휏훼 = 휏훼훽. If 훿 is a nonsquare in F푝2 then E is the √ quadratic twist (which, up to F푝2 -isomorphism, is independent of the choice of nonsquare 훿) and 휏 훿 is the twisting ′ 2 isomorphism. For each isogeny 휙 : E → E deﬁned over F푝2 , there is an F푝2 (훼 )-isogeny 훼 훼 ′ 훼 휙 := (휏훼 ◦ 휙 ◦ 휏1/훼) : E −→ (E ) .

Now let (E, 휓) be a (푑, 휖)-structure with associated endomorphism 휇. If again we choose a nonsquare 훿 in F 2 , √ √ √ 푝 훿 훿 F (E 훿, 휓 훿) (푑, ± ) and a square root of in 푝4 , then in general√ √ is not a √ 1 -structure (because conjugation and 훿 훿 √ 훿 twisting generally do not commute); but (E, 휓) := (E , 휏 ( 푝− ) ◦ 휓 ) is a (푑, −휖)-structure with associated √ √ ( 훿) 1 √ 휇 훿 F (E, 휓) 훿 훿 (E, 휓) 훿 endomorphism . The 푝2 -isomorphism class√ of√ is independent of the choice of ; we call (E, 휓) ((E, 휓) 훿) 훿 (E, 휓) 휙 (E, 휓) → (E′, 휓′) (푑, 휖) the quadratic twist√ of . Note that .√ If : √ is√ an isogeny of - structures, then 휙 훿 induces an isogeny of (푑, −휖)-structures 휙 훿 : (E, 휓) 훿 → (E′, 휓′) 훿. Twisting therefore takes us from the category of (푑, 휖)-structures into the category of (푑, −휖)-structures and back again.

Example 1. Consider the case 푑 = 1. Each (1, 1)-structure is F푝2 -isomorphic to the base-extension to F푝2 of a curve deﬁned over F푝 (with the 1-isogeny being [±1]); the associated endomorphism is the 푝-power Frobenius endomorphism on the base-extended curve, and the integer 푟 of Proposition 1 is the trace of the 푝-power Frobenius. Each (1, −1)-structure is the quadratic twist of a (1, 1)-structure: essentially, an ordinary (1, −1)-structure is isomorphic to a GLS curve [26]. This discussion should be compared with the remark at the end of [44, §3].

3 PARAMETRIZATIONS AND MODULAR CURVES

For our computations, we can represent a (푑, 휖)-structure (E, 휓) as (E, 푓휓, 훼), where 푓휓 is the kernel polynomial of 휓 (that is, the monic polynomial whose roots are the 푥-coordinates of the nonzero points in ker 휓) and 훼 is the element such that 휓 = 휏훼 ◦ 휓˜, where 휓˜ : E → E/ker 휓 is the normalized “Vélu” isogeny. We want a more space-eﬃcient encoding of isomorphism classes of (푑, 휖)-structures, both as a canonical encoding for vertices in isogeny graphs, and for transmission of (푑, 휖)-structures used as cryptographic values. While (푑, 휖)-structures may seem to be relatively complicated objects over F푝2 , their isomorphism classes can be encoded to little more than a single element of F푝. Brieﬂy: the key is to take the quotient by negation, which maps the set 푆푑,휖 of isomorphism classes of (푑, 휖)-structures over F푝2 into 푋0 (푑)(F푝2 ), where 푋0 (푑) is the level-푑 modular curve. Then, the Atkin–Lehner involution 휔푑, which maps a modular point onto its “dual”, 푆 푋+ (푑) 푋 (푑)/⟨휔 ⟩ 푆 acts as conjugation on the image of 푑,휖 . Writing 0 = 0 푑 , we have a four-to-one map from 푑,휖 푋+ (푑)(F ) (E, 휓) −(E, 휓) (E, 휓) ( 푝) −(E, 휓) ( 푝) onto 0 푝 , identifying the isomorphism class of with , , and . We can 푆 푋+ (푑)(F ) therefore represent an element of 푑,휖 as a point in 0 푝 plus two bits (one to determine the sign, the other 푋+ (푑) 푋+ (푑)(F ) the conjugate). Since 0 is a curve, we can further compress the representative point in 0 푝 to one F 푋+ (푑)(F ) 푋+ (푑) element of 푝 plus a few bits. This step depends strongly on the geometry of 0 푝 : for example, if 0 푋+ (푑)(F ) has genus 0 then we can rationally parametrize it, giving a simple compression of points in 0 푝 to single F 푋+ (푑) 푋+ (푑)(F ) F elements of 푝; if 0 is hyperelliptic, then we can compress points in 0 푝 to a single element of 푝 plus 푋+ (푑) a “sign” bit in the usual way; and as the gonality of 0 increases, so does the number of auxiliary bits required.

3 A full development of these representations and the algorithms that operate on them is beyond the scope of this short article, but we will give useful explicit constructions for 푑 = 2 and 3 here, derived from explicit parametrizations of Q-curves due to Hasegawa [29]. The associated endomorphisms for ordinary curves in these families have been used to accelerate scalar multiplication algorithms (see [44], where we also ﬁnd related families for 푑 = 5 and 7, and [28]) and as inputs for specialized point-counting algorithms [37].

3.1 REPRESENTING (2, 휖)-STRUCTURES √ Let Δ be a nonsquare in F푝, and ﬁx a square root Δ in F푝2 . For each 푢 in F푝, the curve √ √ 2 3 E2,푢/F푝2 : 푦 = 푥 − 6(5 − 3푢 Δ)푥 + 8(7 − 9푢 Δ)

( 푝) has a rational 2-torsion point (4, 0), which generates the kernel of a 2-isogeny 휓2,푢 : E2,푢 → E2,푢 deﬁned over F푝2 . If we use Vélu’s formulae to compute the (normalized) quotient isogeny E2,푢 → E2,푢/⟨(4, 0)⟩, then the E /⟨( , )⟩ → E ( 푝) 휏 √ 휓 isomorphism 2,푢 4 0 2,푢 is 1/ −2. Composing, we obtain an expression for 2,푢 as a rational map: √ √ !! −푥 9(1 + 푢 Δ) 푦 −1 9(1 + 푢 Δ) 휓2,푢 : (푥, 푦) ↦−→ − , √ + . 2 푥 − 4 −2 2 (푥 − 4)2

b ( 푝) Computing the dual isogeny 휓2,푢 and comparing it with 휓2,푢 , we ﬁnd that (E2,푢, 휓2,푢) is a (2, 1)-structure if 푝 ≡ 5, 7 (mod 8), or a (2, −1)-structure if 푝 ≡ 1, 3 (mod 8). (To obtain a family of (2, −1)-structures when 푝 ≡ 5, 7 (mod 8) or (2, 1)-structures if 푝 ≡ 1, 3 (mod 8), it suﬃces to take the quadratic twist.)

3.2 REPRESENTING (3, 휖)-STRUCTURES √ Let Δ be a nonsquare in F푝, and fix a square root Δ in F푝2 . For each 푢 in F푝, the elliptic curve √ √ 2 3 2 E3,푢/F푝2 : 푦 = 푥 − 3 5 + 4푢 Δ 푥 + 2 2푢 Δ + 14푢 Δ + 11 √ has an order-3 subgroup {O, (3, ±2(1 − 푢 Δ))} defined by the polynomial 푥 − 3. Taking the quotient with 휏 √ 휓 E → E ( 푝) Vélu’s formulae and composing with 1/ −3 yields an explicit 3-isogeny 3,푢 : 3,푢 3,푢 , and we find that (E3,푢, 휓3,푢) is a (3, 1)-structure if 푝 ≡ 2 (mod 3), or a (3, −1)-structure if 푝 ≡ 1 (mod 3). (To obtain a family of (3, −1)-structures when 푝 ≡ 2 (mod 3) or (3, 1)-structures if 푝 ≡ 1 (mod 3), take the quadratic twist.)

4 SUPERSINGULAR (푑, 휖)-STRUCTURES We now come to the main focus of our investigation: supersingular (푑, 휖)-structures and their isogeny graphs.

Deﬁnition 3. We write D푑,휖 (푝) for the set of supersingular (푑, 휖)-structures over F푝2 up to F푝2 -isomorphism, and Γ(D푑,휖 (푝)) for the graph on D푑,휖 (푝) whose edges are (F푝2 -isomorphism classes of) isogenies of (푑, 휖)-structures. For each prime ℓ ≠ 푝, we write Γℓ (D푑,휖 (푝)) for the subgraph of Γ(D푑,휖 (푝)) where the edges are ℓ-isogenies.

Observe that the quadratic twist gives an isomorphism of graphs Γ(D푑,휖 (푝)) Γ(D푑,−휖 (푝)). Proposition 2. Let (E, 휓) be a (푑, 휖)-structure with associated endomorphism 휇. If E is supersingular, then 1. 휇2 = [−푑푝]. 2 2. The trace of Frobenius satisﬁes 푡E = −2휖 푝, and in particular E(F푝2 ) (Z/(푝 + 휖)Z) .

Proof. With the notation of Proposition 1: The curve E is supersingular if and only if 푝 | 푡E. Now 푝 ∤ 푑, so 푝 | 푟 푃 (푇) 휇 (푟푑)2 − 푑푝 by Proposition 1. Thep characteristic polynomial 휇 of has discriminant 4 ; this discriminant cannot 2 −2푝 be positive, so |푟| ≤ 2 푝/푑. Since 푝 | 푟, we have 푟 = 0, so 휇 = [−푑푝], and 푡E = 휖 = −2휖 푝. □ Proposition 2 tells us that if (E, 휓) is a supersingular (푑, 휖)-structure, then 휖 is completely determined by the F푝2 -isogeny class of E. Further, 푡E can only be ±2푝: the special supersingular traces −푝, 0, and 푝 (corresponding to non-quadratic twists of curves of 푗-invariant 0 and 1728, if these are supersingular) cannot occur.

4 4.1 ORIENTATIONS Proposition 2 tells us that the associated endomorphism of each supersingular (푑, 휖)-structure acts like a square root of −푑푝 in the endomorphism ring. We can make this notion more precise using orientations, as described by Colò and Kohel in [16] and Onuki in [38]. Before going further, we recall some generalities. Let 퐾 be an imaginary quadratic field, O퐾 its ring of integers, and O an order in 퐾.A 퐾-orientation on an 0 elliptic curve E/F푝2 is a homomorphism 휄 : 퐾 → End (E); we call the pair (E, 휄) a 퐾-oriented elliptic curve. We say 휄 is an O-orientation, and (E, 휄) is an O-oriented elliptic curve, if 휄(O) ⊆ End(E). An O-orientation 휄 : 퐾 → End0 (E) is primitive if 휄(O) = End(E) ∩ 휄(퐾): that is, if 휄 is “full” in the sense that it does not extend to an O′-orientation for any strict super-order O′ ⊃ O. Let (E, 휄) be a 퐾-oriented elliptic curve. If 휙 : E → E′ is an isogeny, then there is an induced 퐾-orientation ′ 휙∗ (휄) on E defined by 1 b 휙∗ (휄) : 훼 ↦−→ 휙 ◦ 휄(훼) ◦ 휙 . deg(휙) Given two oriented curves (E, 휄) and (E′, 휄′), an isogeny 휙 : E → E′ is said to be 퐾-oriented, or an isogeny of ′ ′ ′ 퐾-oriented elliptic curves, if 휄 = 휙∗ (휄). In this case we write 휙 : (E, 휄) → (E , 휄 ). If there exists a 퐾-oriented ′ ′ isogeny 휙˜ : (E , 휄 ) → (E, 휄) such that 휙˜ ◦ 휙 = [1] E and 휙 ◦ 휙˜ = [1] E′ , then we say that 휙 is a 퐾-oriented isomorphism, and we write (E, 휄) (E′, 휄′). Note that 휙 : (E, 휄) → (E′, 휄′) is an oriented isomorphism if and only if the underlying isomorphism of curves 휙 satisfies 휙 ◦ 휄(훼) = 휄′(훼) ◦ 휙 for all 훼 in 퐾. If 휙 : (E, 휄) → (E′, 휄′) is a 퐾-oriented isogeny, then 휄 resp. 휄′ is a primitive O resp. O′-orientation for some order O resp. O′ in 퐾. If ℓ = deg 휙 is a prime not equal to 푝, then one of the following holds: • O = O′, and 휙 is said to be horizontal; or • O ⊂ O′ with [O′ : O] = ℓ, and 휙 is said to be ascending; or • O ⊃ O′ with [O : O′] = ℓ, and 휙 is said to be descending. Let O be an order in a quadratic field 퐾 such that 푝 does not split in 퐾 or divide the conductor of O. Following [16], we let SSO (푝) denote the set of O-oriented supersingular elliptic curves over F푝 up to 퐾-oriented O 퐾 pr (푝) isomorphism. The subset of primitive -oriented curves (up to -oriented isomorphism) is denoted by SSO . For any integral invertible ideal 픞 in O and any O-oriented curve (E, 휄), we have a finite subgroup

E[픞] := {푃 ∈ E | 휄(훼)(푃) = 0 ∀훼 ∈ 픞} .

Now suppose 픞 is prime to the conductor of O in O퐾 .2 If 휙픞 : E → E/E[픞] is the quotient isogeny, then (휙픞)∗ (휄) is an O-orientation on E/E[픞], and 휙픞 is a horizontal isogeny of O-oriented curves. If 픞 is principal then (E/E[픞], (휙픞)∗ (휄)) (E, 휄), so the map

(픞, (E, 휄)) ↦→ (E/E[픞], (휙픞)∗ (휄)) extends to fractional ideals and factors through the class group, and as in [16] we get a transitive group action

Cl(O) × SSO (푝) −→ SSO (푝) .

Onuki [38] shows that if we restrict to a certain subset of the primitive O-oriented curves, then this action is transitive and free. Let JO denote the set of 푗-invariants of elliptic curves E over C (not F푝) with End(E) O. All elements in JO are algebraic integers, so an elliptic curve whose 푗-invariant is in JO has potential good reduction at any prime ideal. Since JO is finite, we can take a number field 퐿 and a prime ideal 픭 of 퐿 above 푝 such that for all 푗 ∈ JO, there exists an elliptic curve over 퐿 with good reduction at 픭 and 푗-invariant 푗. Fix an injection of the residue field of 퐿 modulo 픭 into F푝. Let Ell(O) be the set of isomorphism classes of elliptic curves E over 퐿 with good reduction at 푝 and 푗-invariants in JO. For every such E, we let [·] E be the normalized O-orientation: that ∗ is, such that for any invariant differential 휔 on E, ([훼] E) 휔 = 훼휔 for all 훼 in O. Then reduction mod 픭 defines a 휌 (O) → pr (푝) E (Ee, [.] ) Ee E/퐿 [·] map : Ell SSO sending to Ee , where is the reduction of at 픭 and E˜ is the orientation such that [훼] Ee = [훼] E (mod 픭) for all 훼 in O. Theorem 1 (Onuki [38, Theorem 3.4]). With the notation above: Cl(O) acts freely and transitively on 휌(Ell(O)).

4.2 THE NATURAL ORIENTATION p From now on we let 퐾 = Q( −푑푝), and let O퐾 be the maximal order of 퐾.

2Working with the class group, we can always replace ideals that are not prime to the conductor with equivalent integral ideals that are.

5 If (E, 휓) is a supersingular (푑, 휖)-structure and 휇 is the associated endomorphism, then p 0 휄휓 : Q( −푑푝) −→ End (E) p −푑푝 ↦−→ 휇 p is a Z[ −푑푝]-orientation by Proposition 2. We call this the natural orientation. p 2 Lemma 1. If E/F푝2 is a supersingular elliptic curve with #E(F푝2 ) = (푝 + 휖) and 휄 is a Z[ −푑푝]-orientation on E, then 휄 is the natural orientation for some (푑, 휖)-structure (E, 휓). p Proof. Let 휇 := 휄( −푑푝) in End(E). We have deg(휇) = 푑푝 and 푝 ∤ 푑, so 휇 factors over F푝2 into the composition of a 푑-isogeny and a 푝-isogeny. Since E is supersingular, the 푝-isogeny is isomorphic to 휋 푝, and so 휇 = 휋 푝휓 for some ( 푝) b ( 푝) 2 ( 푝) 2 ( 푝) 2 푑-isogeny 휓 : E → E . It remains to show that 휓 = 휖휓 . Now [−푑푝] = 휇 = 휋 푝휓휋 푝휓 = 휓 휋 푝휓 = 휓 휓휋 푝, 2 2 ( 푝) b ( 푝) and 휋 푝 = [−휖 푝] because E is supersingular with #E(F푝2 ) = (푝+휖) , so [푑] = 휖휓 휓, and therefore 휓 = 휖휓 . □ ′ ′ (E, 휓) (E , 휓 ) (푑, 휖) 휄 휄 ′ Lemma 2. Let and be -structures with natural orientationsp 휓 and 휓 , respectively. If 휙 : E → E′ is an isogeny, then 휙 is an isogeny (resp. isomorphism) of Z[ −푑푝]-oriented elliptic curves (E, 휄) → (E′, 휄′) if and only if it is an isogeny (resp. isomorphism) of (푑, 휖)-structures (E, 휓) → (E′, 휓′). Proof. Let 휇 resp. 휇′ be the associated endomorphisms of (E, 휓) resp. (E′, 휓′); then p p p p 휙∗ (휄휓) = 휄휓′ ⇐⇒ 휙∗ (휄휓)( −푑푝) = 휄휓′ ( −푑푝) ( −푑푝 generates Q( −푑푝) ⇐⇒ 휙 ◦ 휇 ◦ 휙b= 휇′[deg 휙] (multiplying by deg 휙) ⇐⇒ 휙 ◦ 휇 = 휇′ ◦ 휙 (cancelling 휙b) ′ ⇐⇒ 휙 ◦ 휋 푝 ◦ 휓 = 휋 푝 ◦ 휓 ◦ 휙 (by deﬁnition) ( 푝) ′ ( 푝) ⇐⇒ 휋 푝 ◦ 휙 ◦ 휓 = 휋 푝 ◦ 휓 ◦ 휙 (휋 푝 ◦ 휙 = 휙 ◦ 휋 푝) ( 푝) ′ ⇐⇒ 휙 ◦ 휓 = 휓 ◦ 휙 (cancelling 휋 푝) and the result follows on comparing deﬁnitions. □

Colò and Kohel [16] and Onuki [38] use class-group actions to study the isogeny graphs Γ(SSO (푝)) with vertex set SSO (푝) for different orders O. Proposition 3 allows us to transfer their results to our setting of (푑, 휖)-structures. (D (푝)) ( √ (푝)) 휖 휖 − Proposition 3. The graphs Γ 푑,휖 and Γ SSZ[ −푑 푝] are explicitly isomorphic for = 1 and = 1. p Proof. This follows from Lemmas 1 and 2, once we can show that the isomorphism class of any Z[ −푑푝]-oriented 2 supersingular curve (E, 휄) over F푝 contains a representative over F푝2 of order (푝 + 휖) . Since 푗 (E) is in F푝2 , after a 2 suitable F푝-isomorphism we may suppose that E is defined over F푝2 and #E(F푝2 ) = (푝 + 휖) ; and then 휄 is defined over F푝2 because for a supersingular elliptic curve over F푝2 all of the endomorphisms are defined over F푝2 . □ p p Let 퐾 = Q( −푑푝). The order Z[ −푑푝] has index 2 in O퐾 if −푑푝 ≡ 1 (mod 4), and is equal to O퐾 otherwise. If −푑푝 . 1 (mod 4), then, every naturalp orientation is a primitive O퐾 -orientation; if −푑푝 ≡ 1 (mod 4), each natural orientation is either a primitive Z[ −푑푝]-orientation or a primitive O퐾 -orientation.

Proposition 4. Let (E, 휓) be a supersingular (푑, 휖)-structure with natural orientation 휄휓. 1. If −푑푝 . 1 (mod 4), then 휄휓 is a primitive O퐾 -orientation. −푑푝 ≡ ( ) 휄 O 휇 E[ ] 2. If 1 mod 4 , then 휓pis a primitive 퐾 -orientation if the associated endomorphism fixes 2 pointwise, and a primitive Z[ −푑푝]-orientation otherwise. p 휄 Z[ −푑푝] Proof. By definition,p 휓 is a -orientation. To complete Case (2), it suffices top check whether the element 휄 ( 1 (− + −푑푝)) 1 (휇 − [ ]) 0 (E) ∩ 휄 (퐾) (E) 1 (− + −푑푝) O 휓 2 1p = 2 1 of End 휓 is in End (because 2 1 generates 퐾 , but is not in Z[ −푑푝]). This is the case if and only if 휇 − [1] factors over [2], if and only if 휇 fixes E[2] pointwise. □

In the light of Propositions 3 and 4, we partition D푑,휖 (푝) into two subsets:

max sub D푑,휖 (푝) = D푑,휖 (푝) ⊔ D푑,휖 (푝) ,

max sub where D푑,휖 (푝) contains the classes whose natural orientations are primitive O퐾 -orientations, and D푑,휖 (푝) contains the classes whose natural orientations are primitive orientations by the order of conductor 2 in O퐾 . If −푑푝 . 1

6 p max sub (mod 4), then D푑,휖 (푝) = D푑,휖 (푝) and D푑,휖 (푝) = ∅. If −푑푝 ≡ 1 (mod 4), then [O퐾 : Z[ −푑푝]] = 2, so max sub D푑,휖 (푝) resp. D푑,휖 (푝) consists of the (푑, 휖)-structures where 휇 acts trivially resp. nontrivially on the 2-torsion. Given Lemma 2, ℓ-isogenies of (푑, 휖)-structures are “ascending”, “descending”, and “horizontal” with respect max to the natural orientations: we have horizontal ℓ-isogenies between vertices in D푑,휖 (푝) and between vertices in sub max sub D푑,휖 (푝), while D푑,휖 (푝) and D푑,휖 (푝) are connected by ascending and descending 2-isogenies. In the language max sub of isogeny volcanoes, vertices in D푑,휖 (푝) form the “craters”, and vertices in D푑,휖 (푝) the “ﬂoors”.

4.3 THE CLASS GROUP ACTION p (Z[ −푑푝]) √ (푝) D (푝) Proposition 3 translates the action of Cl on SSZ[ −푑 푝] deﬁned above into an action on 푑,휖 . Dmax (푝) (O ) Theorem 2 makes this precise: it shows that 푑,휖 is a principal homogeneous spacep (or torsor) under Cl 퐾 , sub and that if D푑,휖 (푝) is not empty then it is a principal homogeneous space under Cl(Z[ −푑푝]). p Theorem 2. Let 퐾 = Q( −푑푝), with maximal order O퐾 , and let 휖 = ±1. max • The class group Cl(O퐾 ) acts freely and transitively on D푑,휖 (푝). p sub sub • If D푑,휖 (푝) ≠ 0, then Cl(Z[ −푑푝]) acts freely and transitively on D푑,휖 (푝). p Proof. Let O = O퐾 or Z[ −푑푝]. Since 푝 does not split in 퐾, Theorem 1 tells us that Cl(O) acts freely and 휌( (O)) ⊆ pr (푝) transitively on Ell SSO . Given the isomorphism of Proposition 3, it only remains to prove that 휌( (O)) pr (푝) (E, 휄) pr (푝) (E, 휄) (E, 휄) ( 푝) Ell = SSO . For any in SSO , Proposition 3.3 of [38] tells us that or is in 휌( (O)) 휌( (O)) pr (푝) E[ ] E[푑] ∩ 휇 휓 Ell . In our case,p both are in Ell , so the action on SSO is free: since 픡 = ker = ker , (푑, −푑푝) pr (푝) (E, 휄) (E, 휄) ( 푝) (E, 휓) (E, 휓) ( 푝) □ the action of 픡 = on SSO maps to , because it maps to . p Corollary 1. Let 퐾 = Q( −푑푝), with maximal order O퐾 . If ℎ퐾 = # Cl(O퐾 ), then

ℎ −푑푝 ≡ ( ) ,  퐾 if 1 mod 8 Dmax (푝) ℎ Dsub (푝) ℎ −푑푝 ≡ ( ) , # 푑,휖 = 퐾 and # 푑,휖 = 3 퐾 if 5 mod 8  0 otherwise . Dmax (푝) (O ) Dsub (푝) −푑푝 . ( ) Proof. By Theorem p2, we have # 푑,휖 = # Cl 퐾 and either # 푑,휖 = p0 (if 1 mod 4 ) or Dsub (푝) (Z[ −푑푝]) −푑푝 ≡ ( ) (Z[ −푑푝]) −푑푝 ≡ # 푑,휖 = # Cl p (if 1 mod 4 ). It remains to compute # Cl in the case 1 (mod 4), where Z[ −푑푝] has conductor 2. In this case, the formula of [19, Theorem 7.24] simpliﬁes to p # Cl(O퐾 ) −푑푝 # Cl(Z[ −푑푝]) = p 2 − , × × [O퐾 : Z[ −푑푝] ] 2 where the Kronecker symbol (−푑푝/2)pis 0 if 2 | −푑푝, 1 if −푑푝 ≡ ±1 (mod 8), and −1 if −푑푝 ≡ ±3 (mod 8). The × × result follows on noting that [O퐾 : Z[ −푑푝] ] = 1, because −푑푝 is never −3 or −4. □ (ℎ ) ∼ 1 | | −푑푝 Remark 3. The Brauer–Siegel theorem states that asymptotically, log2 퐾 2 log2 Δ퐾 , where Δ퐾 = if −푑푝 ≡ 1 (mod 4), and −4푑푝 otherwise. (See e.g. [34, Ch. XVI] for details.)

4.4 COMPUTING THE CLASS GROUP ACTION p Suppose we want to compute the action of (the class of) an ideal 픩 = (ℓ, 푎 +푏 −푑푝) on some (E, 휓) in D푑,휖 (푝). Following [20], we consider two approaches: “Vélu” and “modular”. In the “Vélu” approach, we compute a generator 퐾ℓ of the kernel E[픩] of 휙: that is, 퐾ℓ is a point in E[ℓ] such that [푎]휇(퐾ℓ ) = −[푏]퐾ℓ . This point may only be deﬁned over an extension F푝2푟 of F푝2 . We then compute 휙 E → E′ E/⟨퐾 ⟩ 푂(ℓ) F the quotient isogeny √: := ℓ using Vélu’s formulæ, at a cost of 푝2푟 -operations, or the e algorithm of [6], in 푂( ℓ) F푝2푟 -operations. Finally, we push 휓 through 휙 by computing the image of its kernel subgroup and choosing the correct “sign”. If we are given an F푝2 -rational generator 퐺 for ker 휓, then pushing 휓 through 휙 essentially costs one isogeny evaluation; otherwise, this amounts to an exercise√ in symmetric functions, e with a cost on the order of 푂(푑) isogeny evaluations. Each evaluation costs 푂(ℓ) or 푂( ℓ) F푝2 -operations. The total cost is dominated by the cost of the multiplication by the cofactor #퐸 (F푝2푟 )/ℓ needed to ﬁnd 퐾ℓ : we have 2 log (#퐸 (F푝2푟 )/ℓ) = 2푟 log 푝, so constructing 퐾ℓ requires 푂(푟 log 푝) operations in F푝2 . The “modular” approach uses modular polynomials. To compute the action of 픩 on (E, 휓), we compute 푝 푝 푝 퐺 = gcd(Φ푑 (푋, 푋 ), Φℓ ( 푗 (E), 푋)) (if 푑 = 1, then we take Φ1 (푋, 푋 ) = 푋 − 푋). In general 퐺 has only two roots

7 ′ in F푝2 , corresponding to the two ℓ-neighbours. In a non-backtracking walk we can divide by 푋 − 푗 (E ), where (E′, 휓′) is the preceding vertex, to find the next step. Otherwise, we can distinguish between the two neighbours by examining the action of 휇 on the ℓ-torsion. Care must be taken to identify, and to appropriately handle, the exceptional case where a neighbouring 푗-invariant admits multiple (푑, 휖)-structures modulo negation (as with the vertices 퐴 and 퐶 in the example of Figure 2 below). 푝 To compute gcd(Φ푑 (푋, 푋 ), Φℓ ( 푗 (퐸), 푋)), compute 퐹(푋) := Φℓ ( 푗 (E), 푋) in 푂(ℓ) F푝2 -operations, and then 푝 푌 := 푋 mod 퐹(푋) using the square-and-multiply algorithm in 푂(ℓ log 푝) F푝2 -operations. We then compute 2 2 푍 := Φ푑 (푋,푌) mod 퐹, and then gcd(푍, 퐹), in 푂(푑 ℓ ) F푝2 -operations. Generally ℓ is polynomial in log 푝, but typically it is even smaller, and then the dominating step is the computation of 푌. As in the ordinary case [20], the Vélu approach is more efficient when 푟2 < ℓ; in particular, when 퐾ℓ is defined over F 2 . If we are free to choose 푝, then we can optimize systems that use the action of a series of small primes ℓ푖 푝 p Î 푝 ℓ Z[ −푑푝] ℓ | 푝 + 휖 푝 푐 · 푛 ℓ − 휖 푐 푝 by taking such that the 푖 split in and 푖 , that is, = 푖=1 푖 with a cofactor making prime. In the case 푑 = 1, this is exactly the optimization that is key to making CSIDH practical. Remark 4. It would be interesting to look for an expression for the group action operating directly on the parameters in the Hasegawa families of §3.1 and §3.2.

5 THE SUPERSINGULAR ISOGENY GRAPH

We can now describe the structure of the isogeny graph Γ(D푑,휖 (푝)). Factoring isogenies, it suﬃces to describe Γℓ (D푑,휖 (푝)) for prime ℓ. The class group actions of Theorem 2 imply the isogeny counts in Table 1.

Table 1: The number of horizontal, ascending, and descending ℓ-isogenies from each vertex in the ℓ-isogeny graph. Prime ℓ Conditions on (푑, 푝) Vertex (sub)set Horizontal Ascending Descending Dmax (푝) −푑푝 ≡ ( ) 푑,휖 2 0 1 1 mod 8 sub D푑,휖 (푝) 0 1 0 Dmax (푝) ℓ = 2 −푑푝 ≡ ( ) 푑,휖 0 0 3 3 mod 8 sub D푑,휖 (푝) 0 1 0 −푑푝 . 1, 3 (mod 8) D푑,휖 (푝) 1 0 0 ℓ > 2 — D푑,휖 (푝) 1 + (−푑푝/ℓ) 0 0

Examples. Figures 1, 2, and 3, display ℓ-isogeny graphs on D3,1 (101), D3,−1 (97), and D3,1 (83) for various ℓ generating the class groups. These ﬁgures also form examples of the various 2-isogeny structures listed in Table 1.

퐶 −퐸 ( 푝) 퐹 퐸 −퐶 ( 푝)

−퐷 ( 푝) 퐵( 푝) 퐴 −퐵 퐷

퐷 ( 푝) −퐵( 푝) −퐴 퐵 −퐷

−퐶 퐸 ( 푝) −퐹 −퐸 퐶 ( 푝) √ Figure 1: Γ2 (D3,1 (101)) for ℓ = 2. The class group of Q( −303) is isomorphic to Z/10Z, and generated by an ideal over 2 (we see this in the length-10 cycle). The correspondence between vertex labels and parameters for the degree-3 Hasegawa family of §3.2 (with Δ = 2) is 퐴 ↔ 0, 퐵 ↔ 6, 퐶 ↔ 24, 퐷 ↔ 25, and 퐸 ↔ 42; the special vertex√퐹, which has no Hasegawa parameter, is (E, 휓) with E : 푦2 = 푥3 + 1 and 휓 : (푥, 푦) ↦→ ((67푥3 + 66)/푥2, (89푥3 + 96) 2푦/푥3). Note that 퐴( 푝) = −퐴 and 퐹 ( 푝) = −퐹. The underlying curves of 퐵 and 퐶 are isomorphic.

Involutions. There are two obvious involutions on Γ(D푑,휖 (푝)), negation and conjugation.p These are generally not ℓ O Z[ −푑푝] ℓ the only involutions. Every prime dividingp the discriminant ramiﬁes in 퐾 (and ); the prime 픩 over gives an element of order 2 in Cl(O퐾 ) (and Cl(Z[ −푑푝])), and thus an involution on Γ(D푑,휖 (푝)). Let 픡1,..., 픡푛 be the primes above the prime factors of 푑, and 픭 the prime above 푝; note that [픡1]···[픡푛] = [픭], because 픡1 ··· 픡푛픭 = (휇). 푛 If −푑푝 ≡ 1 or 2 (mod 4) then Cl(O퐾 )[2] = ⟨[픡1],..., [픡푛], [픭]⟩, so Cl(O퐾 )[2] (Z/2Z) . If −푑푝 ≡ 3

8 퐴 −퐴

−퐵 −퐶 퐷 −퐴( 푝) 퐴( 푝) 퐵 퐶 −퐷

퐵( 푝) 퐶 ( 푝) −퐷 ( 푝) −퐵( 푝) −퐶 ( 푝) 퐷 ( 푝)

√ Figure 2: The isogeny graphs Γ2 (D3,−1 (97)) (solid) and Γ5 (D3,−1 (97)) (dotted). We have Cl(Q( −3 · 97)) Z/4Z, generated by an ideal over 5. The 2-isogenies are ascending/descending up/down the page; the 5-isogenies are horizontal. The correspondence between vertex labels and parameters for the degree-3 Hasegawa family of §3.2 (with Δ = 5) is 퐴 ↔ 47, 퐵 ↔ 1, 퐶 ↔ 14, and 퐷 ↔ 22. The underlying curves of 퐴 and 퐶 are isomorphic.

퐴 −퐶 퐶 ( 푝) −퐵( 푝) 퐵 퐷 −퐴 −퐶 ( 푝) 퐶 −퐵 퐵( 푝) 퐷 ( 푝)

(D ( )) ℓ ℓ ℓ Figure 3: Γ√ℓ 3,1 83 for = 2 (solid), = 3 (dashed) and = 5 (dotted). All isogenies are horizontal. We have Cl(Q( −3 · 83)) Z/2Z × Z/6Z, with the Z/2Z-factor generated by the ideal above 3, and the Z/6Z-factor generated by an ideal above 5 (we see this in the length-6 cycles); the ideal above 2 is the cube of an ideal above 5. The correspondence between vertex labels and parameters for the degree-3 Hasegawa family of §3.2 (with Δ = 2) is 퐴 ↔ 0, 퐵 ↔ 32, 퐶 ↔√ 40; the special√ vertex 퐷, which√ has no Hasegawa parameter, is (E : 푦2 = 푥3 + 1, 휓) where 휓 maps (푥, 푦) to (((72 2 + 14)푥3 + (39 2 + 56))/푥2, 2(35푥3 + 52)푦/푥3). Note that −퐴 = 퐴( 푝) .

( ) (O )[ ] ⟨[ ], [ ],..., [ ], [ ]⟩ (O )[ ] (Z/ Z)푛+1 mod 4 , then Cl 퐾 2 = 픞 픡1 Î픡푛 픭 where 픞 is the ideal above 2, and Cl 퐾 2 2 . In each case, the action of the ideal class 푖 [픡푖] = [픭] on any (푑, 휖)-structure (E, 휓) is realised by the isogeny 휓 : (E, 휓) → (E ( 푝) , 휓 ( 푝) ), and is therefore equal to the conjugation involution. Since the group actions are free, each of the involutions that come from nontrivial 2-torsion elements in the class groups—including conjugation—has no fixed points. Negation, on the other hand, can have fixed points: for example, if 푝 ≡ 3 (mod 4) and E is the curve with 푗-invariant 1728, and 푖 is an automorphism of degree 4, (E, 푖) ( , ) (E, 푖) (E, −푖) ( , ) then is a 1 1 -structure, and . This√ is the only fixed point among 1 1 -structures, and its existence is implied by the fact that the class number of Cl( −푝) is odd when 푝 ≡ 3 (mod 4).

sub Remark 5. If −푑푝 ≡ 5 (mod 8), then there is an order-3 automorphism 푇 of D푑,휖 (푝) cycling the triplets of Dmax (푝) 푇 vertices with ascendingp 2-isogenies to the samep vertex in 푑,휖p . We will see that is inducedp by the action of an (Z[ −푑푝]) ( , −푑푝 − )Z[ −푑푝] (Z[ −푑푝]) ideal class in Cl . The ideal 픱 = 4 p 1 has order 3 in Cl p , but capitulates ( ) O −푑푝 − 휔 휔 1 ( −푑푝 − ) to become the principal ideal 2 in 퐾 (because 1p= 2 , where is the unit 2 1 ); indeed, 픱 generates the kernel of the canonical homomorphism Cl(Z[ −푑푝]) → Cl(O퐾 ). Since 픱 meets the conductor, its action on Dsub (푝) is not well-deﬁned, but we can consider the action of an equivalent ideal in the class group. Let Î 푑,휖 p Î ℓ푒푖 (푑푝 + )/ ℓ ( −푑푝 − ) · 푒푖 푖 푖 bep the prime factorization ofÎ 1 4 (and note that eachp푖 is odd); then 1 = 픱 푖 픩푖 where 푒푖 픩푖 := (ℓ푖, −푑푝 − 1); the product 푖 픩푖 is equivalent to 픱 in Cl(Z[ −푑푝]), prime to the conductor, and its action sub on D푑,휖 (푝) induces the automorphism 푇. In the case where 푑 = 1 (CSIDH), this is explained at length in [39].

Crossroads. The map (E, 휓) ↦→ E deﬁnes a covering from Γ(D푑,휖 (푝)) onto a subgraph of the isogeny graph of F 푑 푑 (D (푝)) (D (푝)) all supersingular curves over 푝2 . For 1 ≠ 2 the images of Γ 푑1,휖 and Γ 푑2,휖 can intersect, forming (D (푝)) (D (푝)) “crossroads” where we can switch from walking in Γ 푑1,휖 into Γ 푑2,휖 , and vice versa.

Deﬁnition 4. Let 푑1 ≠ 푑2 be squarefree integers such that 푑1푑2 is squarefree. We say that a supersingular curve 2 E/F푝2 with #E(F푝2 ) = (푝 + 휖) is a (푑1, 푑2)-crossroad if there exist isogenies 휓1 : E → E1 and 휓2 : E → E2 such that (E, 휓1) is a (푑1, 휖)-structure and (E, 휓2) is a (푑2, 휖)-structure.

If (E, 휓) is a (푑1, 휖)-structure, then we can easily check whether E is a (푑1, 푑2)-crossroad by evaluating ( 푗 (E, ), 푗 (E) 푝) (푑 , 푑 ) the classical modular polynomial Φ푑2 at . However, 1 2 -crossroads are generally very rare.

9 E (푑 , 푑 ) 푑 푑 Indeed, if is a 1 2 -crossroad,√ then it has an endomorphism of degree 1 2 with cyclic kernel (in particular, (푑 , 푑 ) 푑 푑 < 푝 1 2 -crossroads with 1 2 2 appear in the isogeny “valleys” described in [35]). We can therefore enumerate (푑 , 푑 ) F 2 푗 푑 푑 (푥, 푥) F 2 the entire set of 1 2 -crossroads over a given 푝 by computing the set of roots of Φ 1 Î2 in 푝 , and 푗 ( 푗, 푗 푝) (푥, 푥) (ℓ + ) ℓ then checking for which we have Φ푑1 = 0. The polynomial Φ푑1 푑2 has degree ℓ 1 where rangesp over the prime factors of 푑1푑2, so there are only 푂(푑1푑2)(푑1, 푑2)-crossroads (up to isomorphism) among O( 푑푝) (D (푝)) the vertices in Γ 푑1,휖 . But while crossroads are rare, computing the few examples is relatively easy, and computing (푑1, 푑2)-crossroads (D (푝)) (D (푝)) gives us a useful way of quickly constructing some vertices in Γ 푑1,휖 (and in Γ 푑2,휖 ). Suppose we (D푑 ,휖 (푝)) (D푑 ,휖 (푝)) want to construct a vertex in Γ 1 p . Since the vertices in Γ 1 correspond to curves with an Z[ −푑 푝] F endomorphism subring isomorphicp to 1 , we might try to construct a vertex from a root in 푝2 of the Hilbert class polynomial for Q( −푑1 푝); but the degree of this polynomial, which is the order of the class group, is exponential with respect to log 푝, so this approach is infeasible√ for large 푝. Instead, we choose a small squarefree 푑 푝 Q( −푑 푑 ) (푑 , 푑 ) E/F 2 such that does not split in the maximal order of 1 2 . If there exists a 1 2 -crossroad√ 푝2 , then its 푗-invariant is a root in F푝2 of a quadratic factor of the Hilbert class polynomial for Q( −푑1푑2), because the ( 푝) ( 푝) composition of the 푑1-isogeny E → E with the conjugate 푑2-isogeny E → E is a cyclic endomorphism of 푑 푑 (D (푝)) degree 1 2. All other vertices in Γ 푑1,휖 can then be reached through the class group action.

6 CRYPTOGRAPHIC APPLICATIONS p max sub The action of Cl(O퐾 ) on D푑,휖 (푝) and Cl(Z[ −푑푝]) on D푑,휖 (푝) makes Γ(D푑,휖 (푝)) a natural candidate setting for group-action/HHS-based postquantum cryptosystems following Stolbunov [43, 45, 46] and Couveignes [18]. 푑 > D (푝) For example, for each 1, we√ can deﬁne a key exchange algorithm on 푑,휖 generalizing CSIDH√ [11], (Z[ −푝]) Dsub (푝) (Q( −푝)) which uses the action of Cl on 1,1 and CSURF [10], which uses the action of Cl on Dmax (푝) D푑,휖 (푝) 1,1 . Despite the prominence of orientations, the relationship between key exchange in and the OSIDH protocol [16] is distant. The O-orientations in OSIDH involve orders O with massive conductors in O퐾 where O퐾 has tiny class number; here, O has tiny conductor and O퐾 has massive class number.

6.1 HARD PROBLEMS The conjectural hard problems for the action of Cl(O퐾 ) on D푑,휖 (푝) are vectorization (the analogue of the DLP) and parallelization (the analogue of the CDHP) from Couveigne’s Hard Homogenous Spaces framework [18]. ′ ′ ′ ′ Deﬁnition 5 (Vectorization). Given (E, 휓) and (E , 휓 ) in D푑,휖 (푝), ﬁnd 픞 ∈ Cl(O퐾 ) such that 픞·(E, 휓) = (E , 휓 ).

Definition 6 (Parallelization). Given (E0, 휓0), (E1, 휓1), and (E2, 휓2) in D푑,휖 (푝), compute the unique (E3, 휓3) in D푑,휖 (푝) such that (E3, 휓3) = (픞1픞2)·(E0, 휓0) where (E푖, 휓푖) = 픞푖 ·(E0, 휓0) for 푖 = 1 and 2. Solving Vectorization immediately solves Parallelization. In the opposite direction, no classical reduction is known, but the quantum equivalence of these two problems is shown in [25]. An extensive study of the possible classical and quantum attacks on Vectorization for 푑 = 1 can be found in [11]; all of these attacks extend to 푑 > 1 with a slowdown at most polynomial in 푑 for class groups of the same size, with that slowdown due to potentially more complicated isogeny evaluation and comparison algorithms. The best classical attack known on Vectorization is to use random walks in Γ(D푑,휖 (푝)), exactly as in the 푑 = 1 case in [21], which gives a solution after an expected 푂((푑푝)1/4) isogeny steps. Since Vectorization is an instance of the Abelian Hidden Shift Problem, the best quantum attack is Kuperberg’s algorithm [32, 42, 33] using the Childs–Jao–Soukharev quantum isogeny-evaluation algorithm as a subroutine [15], adapted to push 휓 through the ℓ-isogenies. This adaptation may incur a practically√ significant but asymptotically negligible cost; the result is a subexponential algorithm running in time 퐿푑 푝 [1/2, 2]. Even for 푑 = 1, there is some debate as to the concrete cost of this quantum algorithm, and the size of 푝 required to provide a cryptographically hard problem instance for common security levels [5, 8, 41]. (If and) when some consensus forms on secure parameter sizes for CSIDH, the same parameter sizes should make Vectorization and Parallelization in D푑,휖 (푝) cryptographically hard, too. We should also consider the impact of the various involutions on Γ(D푑,휖 (푝)). The negation involution already exists for 푑 = 1, where it essentially flips between a curve and its quadratic twist over F푝. This involution has not yet been exploited to give an interesting speedup in solving Vectorization or Parellization in the case 푑 = 1; a speedup for any 푑 would be an interesting result. For 푑 > 1, however, there is at least one new involution: namely, conjugation. We note that solving Vectorization modulo conjugation solves Vectorization, because a vertex and its conjugate are always connected by the action of an ideal of norm 푑. Working√ modulo conjugation allows us to shrink search spaces by a factor of 2, yielding a speedup by a factor of up to 2 analogous to working modulo negation when solving the classical ECDLP (as in [4]). When 푑 has 푛 prime factors, we get more involutions that

10 would allow us to work with equivalence classes of 2푛 vertices, shrinking the search spaces by a factor of 2푛. Prime 푑 therefore seems the simplest and strongest case to us. Finally, we note that if a random walk should wander into a crossroad, then we have found an isogeny to a supersingular curve with much known on its endomorphism ring. In this case, attacks analogous to that of [27] should apply. But as we have seen, crossroads are vanishingly rare; their existence should not create any weakness for schemes based on Γ(D푑,휖 (푝)), no more than they do for CSIDH.

6.2 NON-INTERACTIVE KEY EXCHANGE We now describe a non-interactive key-exchange protocol based on the class group action on Γ(D푑,휖 (푝)), generalizing CSIDH (the case 푑 = 1). The publicp parameters are a prime 푝, a prime 푑, an 휖 in {1, −1}, a set of 푛 {ℓ푖 } 푑푝 Q( −푑푝) 푖 ℓ푖 primes 푖=1 prime to and splitting in , together with a prime ideal 픩 above each , and a “starting” vertex (E0, 휓0) in D푑,휖 (푝) (constructed using the crossroad technique, for example). We also fix a secret keyspace K ⊂ Z푛 of exponent vectors such that #K ≥ 22휆 to provide 휆 bits of security against meet-in-the-middle attacks (though smaller K may suffice: see [14]). The prime 푝 must be large enough that Vectorization and Parallelization cannot be solved in fewer than 2휆 classical operations, or a comparable quantum effort. (푒 ) K For key generation,Î each user randomly samples their private key as a vector 푖 1≤푖 ≤푛 from , representing [ ] [ 푛 푒푖 ] (O ) (E, 휓) [ ]·(E , 휓 ) the ideal class 픞 = 푖=1 픩푖 in Cl 퐾 . Their public key is a vertex representing 픞 0 0 , which we can compute using the methods of §4.4. The public key may be compressed to a single element of F푝 plus a few bits using the modular techniques of §3. For key exchange, suppose Alice and Bob have key pairs ([픞], (E퐴, 휓퐴)) and ([픟], (E퐵, 휓퐵)), respectively. Alice receives and validates (E퐵, 휓퐵), and computes 푆퐴퐵 = (E퐴퐵, 휓퐴퐵) = [픞]·(E퐵, 휓퐵); Bob receives and validates (E퐴, 휓퐴), and computes 푆퐵퐴 = (E퐵퐴, 휓퐵퐴) = [픟]·(E퐴, 휓퐴). The commutativity of the group action implies that 푆퐴퐵 푆퐵퐴, so Alice and Bob have a shared secret up to isomorphism. To obtain a unique shared value for cryptographic key derivation, they can derive a modular “compressed” representation of the shared secret as in §3 (for example, when 푑 = 2 or 3, the parameter 푢 for the family of §3.1 or §3.2 and a sign bit suffice), or simply take 푗 (E퐴퐵) = 푗 (E퐵퐴) with a minimal security loss. Remark 6. When ideal classes represent cryptographic secrets, it is important to compute their actions in constant time. A number of techniques have been proposed for this in the context of CSIDH [36, 40, 12, 9, 3]. Each of these methods generalizes in a straightforward way to compute class-group actions on (푑, 휖)-structures. The only real algorithmic difference when evaluating an isogeny 휙 : (E, 휓) → (E′, 휓′) is that the isogeny 휓 must be pushed through 휙 in constant-time as well. For 푑 = 2 and 3, this amounts to pushing the 푥-coordinate of a single point through the isogeny, something that is already part of constant-time CSIDH implementations. For 푑 > 3 the kernel polynomial of 휓 can be pushed through 휙 using symmetric functions.

6.3 KEY VALIDATION AND SUPERSINGULARITY TESTING Public key validation is an important step in many public-key cryptosystems, notably in non-interactive key exchanges where it is a defence against active attacks. In our situation, this amounts to proving that a pair (E, 휓) max sub represents an element of D푑,휖 (푝) (or D푑,휖 (푝), or D푑,휖 (푝)). The first step is to check that (E, 휓) is a (푑, 휖)- structure: specifically, we must check that 휓 is indeed an isogeny from E to E ( 푝) and that 휓b = 휖휓 ( 푝) . This can be done with two 푑-isogeny computations, which costs very little when 푑 is small. 푑 F Verifying supersingularity is more complicated. For = 1 (CSIDH), we just check whether a curve over 푝 has√ order 푝 + 1, which can be done efficiently by probabilistically generating a point of order 푚 | 푝 + 1 with 푚 > 4 푝 2 (see [11, §5]). But this technique does not extend to 푑 > 1, where we must check if E/F푝2 has (푝 + 휖) points: our 2 valid curves have E(F푝2 ) (Z/(푝 + 휖)Z) , and therefore no points with the required order > 4푝. Instead, for 푑 > 1 we can specialize the deterministic supersingularity test of Sutherland [47]. Let 휋E be the 2 Frobenius endomorphism of E/F푝2 . The discriminant of Z[휋E] is bounded by 4푝 , so the conductor of Z[휋E] in O퐾 is bounded by 2푝; hence, if E is ordinary, then the maximal height of the 2-isogeny volcano containing E is (푝) + log2 1. Sutherland’s supersingularity test takes random non-backtracking 2-isogeny walks starting from each of the three 2-isogeny neighbours of E. If E is ordinary, then at least one of these walks will descend the 2-isogeny F (푝) + volcano, and will therefore terminate (with no non-backtracking step defined over 푝2 ) after at most log2 1 (푝) + E steps. Conversely, if no walk terminates after log2 1 steps, then must be supersingular. In our case, we know that End(E)p ⊃ Z[휇] ⊃ Z[휋E], and the conductor of Z[휋E] in Z[휇] is the integer |푟| of 푝/푑 (푝) + Proposition 1, which is bounded by 2 . We can therefore reduce the walk length limit from log2 1 to 1 ( (푝) − (푑)) + Z[휇] ⊂ (E) 2 log2 log2 1. We can also use the fact that End to ensure that we choose a “descending” path within at most two steps, and omit the other two paths. Thus, we can determine if a (푑, 휖)-structure (E, 휓) is 푑 ( 1 ( (푝) − (푑)) + ) supersingular for the cost of computing two -isogenies and 2 log2 log2 5 2-isogenies.

11 max sub We can determine whether (E, 휓) is in D푑,휖 (푝) or D푑,휖 (푝) (if required, and only if −푑푝 ≡ 1 (mod 4)) by computing the action of 휇 on the 2-torsion (at the cost of one or two 푑-isogeny evaluations) or by computing the 2-neighbours of (E, 휓) in Γ2 (D푑,휖 (푝)).

6.4 GENERALIZED DELFS–GALBRAITH ALGORITHMS

Let 푆 푝 be the set of supersingular curves over F푝2 , up to isomorphism. The general supersingular isogeny problem is, given E1 and E2 in 푆 푝, to compute an isogeny 휙 : E1 → E2. In [21], Delfs and Galbraith use the subset of supersingular curves defined over F푝, which we can identify with D1,1 (푝), to improve classical isogeny-finding algorithms based on random walks. Their algorithm has two phases: E E E′ E′ 1. Compute a random non-backtracking isogeny walk from 1 resp. 2 until we land on a curve 1 resp. 2 D (푝) 휙 E → E′ 휙 E → E′ 푆 in 1,1 . These walks yield isogenies 1 : 1 1 and 2 : 2 √ 2. The isogeny graph on 푝 has 푆 ≈ 푝/ D (푝) 푂( 푝) excellent√ mixing properties, and since # 푝 12 and # 1,1 = , this first phase takes an expected 푂( 푝) random isogeny steps. √ 휙′ E′ → E′ (Q( −푝)) D (푝) 2. Find an isogeny : 1 2 using the action of Cl acting√ on 1,1 (that is, solve Vectorization 푑 (Q( −푝)) L with = 1). Under the Generalized Riemann Hypothesis, Cl √ is generated by the set of ideals of prime norm up to 6 log (|Δ|)2, where Δ is the discriminant of Q( −푝) (see [2]) though in practice we do not need so many primes. The L-isogeny graph on D1,1 (푝) is therefore connected, and we can use random ′ √ walks in this subgraph to construct 휙 . By the birthday paradox, this phase takes an expected 푂( 4 푝) random 휙′ steps before finding the collision yielding . √ The Delfs–Galbraith algorithm exploits the action of Cl(Q( −푝)) on D1,1 (푝) to solve the isogeny problem in 푆 푝. We can generalize their algorithm by replacing the distinguished subgraph Γ(D1,휖 (푝)) with a union of subgraphs ⊔푑∈퐷Γ(D푑,휖 (푝)) where 퐷 is a set of coprime squarefree integers prime to 푝. In Phase 1, we now take ′ ′ random walks from E1 and E2 into ⊔푑∈퐷 D푑,휖 (푝).3 In Phase 2, if E is in D푑 ,휖 (푝) and E is in D푑 ,휖 (푝), then we ′ ′ ′ 1 1 2 ′ 2′ (푑 , 푑 ) E E → E D푑 ,휖 (푝) E → E D푑 ,휖 (푝) need to compute a 1 2 -crossroad 3 and find a path 1 3 in 1 and a path 2 3 in 2 . (푑 , 푑 ) 푑 푑 퐷 (In particular, we should ensure that there exist supersingular 1 2 -crossroads before includingÍ √1 and√ 2 in .) 푑 퐷 D (푝) 푂(( 푑) 푝) This is not worthwhile for large or large . Asymptotically,Í #√ 푑,휖 is in 푑∈퐷 , so the expected number of steps in Phase 1 is reduced by a factor of 푂( 푑∈퐷 푑). However, the individual steps become D (푝) F more expensive: if we use modular polynomialsÍ to check membership of each 푑,휖 , then the number of 푝2 - operations per step grows linearly with 푑∈퐷 푑, overwhelming the benefit of the shorter walks. Asymptotically, therefore, there is no benefit in taking large 푑 or large 퐷 in Phase 1. (For more analysis of random walks into (푑, ±1)-structures, in different contexts, see [22] and [13].) Generalized Delfs–Galbraith can become interesting for√퐷 consisting of a few small 푑, however, precisely 휅(푑, 푝) D (푝)/ D (푝) ≈ 푑 푑 < because the asymptotic := # 푑,휖 √ # 1,휖 no longer holds. For 10, for example, we can have 휅(푑, 푝) substantially greater than 푑 (and also substantially less than 1). For example, if 푝 is the toy SIDH-type prime 252 ·333 −1, then 휅(5, 푝) ≈ 4.916. If we can test for an isomorphism or 5-isogeny to the conjugate faster than we can compute six 2-isogenies, then we can take 퐷 = {1, 5} and walk into D1,휖 (푝) ⊔ D5,휖 (푝) faster than walking into D1,휖 (푝) alone. This speedup is counterbalanced by a slowdown in Phase 2, because walking in Γ(D5,휖 (푝)) costs more, and because the walks there need to be a square-root of 휅(5, 푝) longer—though we can work modulo conjugation to mitigate this cost.

6.5 (푑, 휖)-STRUCTURES AND SIDH GRAPHS As we noted above, the probability of a random walk in the supersingular ℓ-isogeny graph hitting a vertex that is the image of a (푑, 휖)-structure is very low. It is even lower when we consider SIDH/SIKE graphs, which cover only a very small proportion of the full isogeny graph, resembling trees of walks of short, fixed length. Nevertheless, when we look at specific SIKE graphs, we see that they contain sections of Γ2 (D푑,휖 (푝)) and Γ3 (D푑,휖 (푝)) for various 푑. For example, the starting curve in SIKEp434 has a 푑-isogeny to its conjugate for 푑 ∈ 퐷 = {5, 13, 17, 29, 37, 41} (and also for much higher, but less practical values of 푑). If we consider the 2-isogeny graph, then we find that Γ2 (D푑,휖 (푝)) passes through the starting curve and continues down through the tree towards a public key for 푑 = 17 and 41. Hence, if we can find a 2-isogeny path from a SIKEp434 public key to a vertex in the image of D17,휖 (푝) or D41,휖 (푝), then we have an express route to the starting curve. Such an attack succeeds in a reasonable time with only a very small probability, but it is still devastatingly effective for a tiny proportion of SIKEp434 keys.

3To measure the feasability of this attack, we need to estimate the average number of steps from a general supersingular elliptic curve E/F p 푝2 D ( 푝) (푚, P) 푚 P 푑/푝 to a curve in (the image of) 푑,휖 . This distance follows a binomial law where is the number of steps and = . Hence,p the 푚 probability P(푋 > 1) that we reach at least one element in D푑,휖 ( 푝) after 푚 steps from E is P(푋 > 1) = 1 − P(푋 = 0) = 1 − (1 − 푑/푝) . When 푑 = 1, this addresses some of the heuristic observations in [1], notably the distance to the F푝-spine.

12 REFERENCES [1] Sarah Arpin et al. “Adventures in Supersingularland”. In: Experimental Mathematics (to appear). url: https://eprint.iacr.org/2019/1056. [2] Eric Bach. Analytic methods in the analysis and design of number-theoretic algorithms. MIT Press, Cam- bridge MA, 1984. [3] Gustavo Banegas et al. “CTIDH: faster constant-time CSIDH”. In: Transactions on Cryptographic Hardware and Embedded Systems (to appear). url: https://ia.cr/2021/633. [4] Daniel J. Bernstein, Tanja Lange, and Peter Schwabe. “On the Correct Use of the Negation Map in the Pollard rho Method”. In: Public Key Cryptography - PKC 2011 - 14th International Conference on Practice and Theory in Public Key Cryptography, Taormina, Italy, March 6-9, 2011. Proceedings. Ed. by Dario Catalano et al. Vol. 6571. Lecture Notes in Computer Science. Springer, 2011, pp. 128–146. doi: 10.1007/978-3- 642-19379-8_8. [5] Daniel J. Bernstein et al. “Quantum Circuits for the CSIDH: Optimizing Quantum Evaluation of Isogenies”. In: Advances in Cryptology - EUROCRYPT 2019 - 38th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Darmstadt, Germany, May 19-23, 2019, Proceedings, Part II. Ed. by Yuval Ishai and Vincent Rijmen. Vol. 11477. Lecture Notes in Computer Science. Springer, 2019, pp. 409–441. doi: 10.1007/978-3-030-17656-3_15. [6] Daniel J. Bernstein et al. “Faster computation of isogenies of large prime degree”. In: Fourteenth Algorithmic Number Theory Symposium. Ed. by Steven D. Galbraith. Vol. 4. Open book series. Mathematical Sciences Publishers, 2020, pp. 39–55. url: https://doi.org/10.2140/obs.2020.4.39. [7] Ward Beullens, Thorsten Kleinjung, and Frederik Vercauteren. “CSI-FiSh: Eﬃcient Isogeny Based Signa- tures Through Class Group Computations”. In: Advances in Cryptology - ASIACRYPT 2019 - 25th Inter- national Conference on the Theory and Application of Cryptology and Information Security, Kobe, Japan, December 8-12, 2019, Proceedings, Part I. Ed. by Steven D. Galbraith and Shiho Moriai. Vol. 11921. Lecture Notes in Computer Science. Springer, 2019, pp. 227–247. doi: 10.1007/978-3-030-34578-5_9. [8] Xavier Bonnetain and André Schrottenloher. “Quantum Security Analysis of CSIDH”. In: Advances in Cryptology - EUROCRYPT 2020 - 39th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Zagreb, Croatia, May 10-14, 2020, Proceedings, Part II. Ed. by Anne Canteaut and Yuval Ishai. Vol. 12106. Lecture Notes in Computer Science. Springer, 2020, pp. 493–522. doi: 10. 1007/978-3-030-45724-2_17. [9] Fabio Campos et al. “Trouble at the CSIDH: Protecting CSIDH with Dummy-Operations Against Fault Injection Attacks”. In: 17th Workshop on Fault Detection and Tolerance in Cryptography, FDTC 2020, Milan, Italy, September 13, 2020. IEEE, 2020, pp. 57–65. doi: 10.1109/FDTC51366.2020.00015. [10] Wouter Castryck and Thomas Decru. “CSIDH on the Surface”. In: Post-Quantum Cryptography - 11th International Conference, PQCrypto 2020, Paris, France, April 15-17, 2020, Proceedings. Ed. by Jintai Ding and Jean-Pierre Tillich. Vol. 12100. Lecture Notes in Computer Science. Springer, 2020, pp. 111–129. doi: 10.1007/978-3-030-44223-1_7. [11] Wouter Castryck et al. “CSIDH: An Eﬃcient Post-Quantum Commutative Group Action”. In: Advances in Cryptology - ASIACRYPT 2018 - 24th International Conference on the Theory and Application of Cryptology and Information Security, Brisbane, QLD, Australia, December 2-6, 2018, Proceedings, Part III. Ed. by Thomas Peyrin and Steven D. Galbraith. Vol. 11274. Lecture Notes in Computer Science. Springer, 2018, pp. 395–427. doi: 10.1007/978-3-030-03332-3_15. [12] Daniel Cervantes-Vázquez et al. “Stronger and Faster Side-Channel Protections for CSIDH”. In: Progress in Cryptology - LATINCRYPT 2019 - 6th International Conference on Cryptology and Information Security in Latin America, Santiago de Chile, Chile, October 2-4, 2019, Proceedings. Ed. by Peter Schwabe and Nicolas Thériault. Vol. 11774. Lecture Notes in Computer Science. Springer, 2019, pp. 173–193. doi: 10.1007/978-3-030-30530-7_9. [13] Denis X. Charles, Kristin E. Lauter, and Eyal Z. Goren. “Cryptographic hash functions from expander graphs”. In: Journal of Cryptology 22.1 (2009), pp. 93–113. [14] Jorge Chávez-Saab et al. The SQALE of CSIDH: square-root Vélu quantum-resistant isogeny action with low exponents. Cryptology ePrint Archive, Report 2020/1520. 2020. [15] Andrew Childs, David Jao, and Vladimir Soukharev. “Constructing elliptic curve isogenies in quantum subexponential time”. In: Journal of Mathematical Cryptology 8.1 (2014), pp. 1–29.

13 [16] Leonardo Colò and David Kohel. “Orienting supersingular isogeny graphs”. In: Journal of Mathematical Cryptolology 14.1 (2020), pp. 414–437. doi: 10.1515/jmc-2019-0034. [17] Craig Costello and Benjamin Smith. “The Supersingular Isogeny Problem in Genus 2 and Beyond”. In: Post- Quantum Cryptography - 11th International Conference, PQCrypto 2020, Paris, France, April 15-17, 2020, Proceedings. Ed. by Jintai Ding and Jean-Pierre Tillich. Vol. 12100. Lecture Notes in Computer Science. Springer, 2020, pp. 151–168. doi: 10.1007/978-3-030-44223-1_9. [18] Jean-Marc Couveignes. Hard Homogeneous Spaces. 2006. url: http://eprint.iacr.org/2006/291. [19] David A. Cox. Primes of the Form 푥2 + 푛푦2: Fermat, Class Field Theory, and Complex Multiplication. 2nd. Pure and Applied Mathematics: A Wiley Series of Texts, Monographs and Tracts. John Wiley and Sons, 2013. doi: 10.1002/9781118400722. [20] Luca De Feo, Jean Kieffer, and Benjamin Smith. “Towards Practical Key Exchange from Ordinary Isogeny Graphs”. In: Advances in Cryptology - ASIACRYPT 2018 - 24th International Conference on the Theory and Application of Cryptology and Information Security, Brisbane, QLD, Australia, December 2-6, 2018, Proceedings, Part III. Ed. by Thomas Peyrin and Steven D. Galbraith. Vol. 11274. Lecture Notes in Computer Science. Springer, 2018, pp. 365–394. doi: 10.1007/978-3-030-03332-3_14. [21] Christina Delfs and Steven D. Galbraith. “Computing isogenies between supersingular elliptic curves over F푝”. In: Designs, Codes and Cryptography 78.2 (2016), pp. 425–440. doi: 10.1007/s10623-014-0010-1. [22] Kirsten Eisenträger et al. “Computing endomorphism rings of supersingular elliptic curves and connections to path-finding in isogeny graphs”. In: Fourteenth Algorithmic Number Theory Symposium. Ed. by Steven D. Galbraith. Vol. 4. Open book series. Mathematical Sciences Publishers, 2020, pp. 215–232. doi: https: //doi.org/10.2140/obs.2020.4.215. [23] Luca De Feo, David Jao, and Jérôme Plût. “Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies”. In: Journal of Mathematical Cryptology 8.3 (2014), pp. 209–247. doi: 10.1515/ jmc-2012-0015. [24] Luca De Feo et al. “SQISign: Compact Post-quantum Signatures from Quaternions and Isogenies”. In: Advances in Cryptology - ASIACRYPT 2020 - 26th International Conference on the Theory and Application of Cryptology and Information Security, Daejeon, South Korea, December 7-11, 2020, Proceedings, Part I. Ed. by Shiho Moriai and Huaxiong Wang. Vol. 12491. Lecture Notes in Computer Science. Springer, 2020, pp. 64–93. doi: 10.1007/978-3-030-64837-4_3. [25] Steven Galbraith et al. “Quantum Equivalence of the DLP and CDHP for Group Actions”. In: Mathematical Cryptology 1.1 (2021), pp. 40–44. url: https://eprint.iacr.org/2018/1199. [26] Steven D. Galbraith, Xibin Lin, and Michael Scott. “Endomorphisms for Faster Elliptic Curve Cryptography on a Large Class of Curves”. In: Journal of Cryptology 24.3 (2011), pp. 446–469. doi: 10.1007/s00145- 010-9065-y. [27] Steven D. Galbraith et al. “On the Security of Supersingular Isogeny Cryptosystems”. In: Advances in Cryptology - ASIACRYPT 2016 - 22nd International Conference on the Theory and Application of Cryptology and Information Security, Hanoi, Vietnam, December 4-8, 2016, Proceedings, Part I. Ed. by Jung Hee Cheon and Tsuyoshi Takagi. Vol. 10031. Lecture Notes in Computer Science, pp. 63–91. doi: 10.1007/978-3- 662-53887-6_3. [28] Aurore Guillevic and Sorina Ionica. “Four-Dimensional GLV via the Weil Restriction”. In: Advances in Cryptology - ASIACRYPT 2013 - 19th International Conference on the Theory and Application of Cryptology and Information Security, Bengaluru, India, December 1-5, 2013, Proceedings, Part I. Ed. by Kazue Sako and Palash Sarkar. Vol. 8269. Lecture Notes in Computer Science. Springer, 2013, pp. 79–96. doi: 10. 1007/978-3-642-42033-7_5. [29] Yuji Hasegawa. “Q-curves over quadratic fields”. In: Manuscripta Mathematica 94.1 (1997), pp. 347–364. issn: 1432-1785. doi: 10.1007/BF02677859. [30] David Jao and Luca De Feo. “Towards Quantum-Resistant Cryptosystems from Supersingular Elliptic Curve Isogenies”. In: Post-Quantum Cryptography - 4th International Workshop, PQCrypto 2011, Taipei, Taiwan, November 29 - December 2, 2011. Proceedings. Ed. by Bo-Yin Yang. Vol. 7071. Lecture Notes in Computer Science. Springer, 2011, pp. 19–34. doi: 10.1007/978-3-642-25405-5_2. [31] David Jao et al. SIKE – Supersingular Isogeny Key Encapsulation. URL: https://sike.org/. [32] Greg Kuperberg. “A subexponential-time quantum algorithm for the dihedral hidden subgroup problem”. In: SIAM Journal of Computing 35.1 (2005), pp. 170–188. eprint: quant-ph/0302112.

14 [33] Greg Kuperberg. “Another Subexponential-time Quantum Algorithm for the Dihedral Hidden Subgroup Problem”. In: 8th Conference on the Theory of Quantum Computation, Communication and Cryptography (TQC 2013). Ed. by Simone Severini and Fernando Brandao. Vol. 22. Leibniz International Proceedings in Informatics (LIPIcs). Dagstuhl, Germany: Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik, 2013, pp. 20– 34. isbn: 978-3-939897-55-2. doi: 10.4230/LIPIcs.TQC.2013.20. url: http://drops.dagstuhl. de/opus/volltexte/2013/4321. [34] Serge Lang. Algebraic Number Theory. Vol. 110. Graduate Texts in Mathematics. Springer, 1994. [35] Jonathan Love and Dan Boneh. “Supersingular Curves With Small Non-integer Endomorphisms”. In: Four- teenth Algorithmic Number Theory Symposium. Ed. by Steven D. Galbraith. Vol. 4. Open book series. Mathematical Sciences Publishers, 2020, pp. 7–22. doi: https://doi.org/10.2140/obs.2020.4.7. [36] Michael Meyer, Fabio Campos, and Steffen Reith. “On Lions and Elligators: An Efficient Constant-Time Implementation of CSIDH”. In: Post-Quantum Cryptography - 10th International Conference, PQCrypto 2019, Chongqing, China, May 8-10, 2019 Revised Selected Papers. Ed. by Jintai Ding and Rainer Steinwandt. Vol. 11505. Lecture Notes in Computer Science. Springer, 2019, pp. 307–325. doi: 10.1007/978-3-030- 25510-7_17. [37] François Morain, Charlotte Scribot, and Benjamin Smith. “Computing cardinalities of Q-curve reductions over finite fields”. In: LMS Journal of Computation and Mathematics 19.A (Aug. 2016), p. 15. doi: 10. 1112/S1461157016000267. url: https://hal.inria.fr/hal-01320388. [38] Hiroshi Onuki. “On oriented supersingular elliptic curves”. In: Finite Fields and their Applications 69 (2021), p. 101777. doi: 10.1016/j.ffa.2020.101777. [39] Hiroshi Onuki and Tsuyoshi Takagi. “On Collisions Related to an Ideal Class of Order 3 in CSIDH”. In: Advances in Information and Computer Security. Ed. by Kazumaro Aoki and Akira Kanaoka. Cham: Springer International Publishing, 2020, pp. 131–148. isbn: 978-3-030-58208-1. [40] Hiroshi Onuki et al. “A Constant-Time Algorithm of CSIDH Keeping Two Points”. In: IEICE Transactions on Fundamentals of Electronics, Communications, and Computer Science 103-A.10 (2020), pp. 1174–1182. doi: 10.1587/transfun.2019DMP0008. [41] Chris Peikert. “He Gives C-Sieves on the CSIDH”. In: Advances in Cryptology - EUROCRYPT 2020 - 39th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Zagreb, Croatia, May 10-14, 2020, Proceedings, Part II. Ed. by Anne Canteaut and Yuval Ishai. Vol. 12106. Lecture Notes in Computer Science. Springer, 2020, pp. 463–492. doi: 10.1007/978-3-030-45724-2_16. [42] Oded Regev. A Subexponential Time Algorithm for the Dihedral Hidden Subgroup Problem with Polynomial Space. arXiv:quant-ph/0406151. June 2004. url: http://arxiv.org/abs/quant-ph/0406151. [43] Alexander Rostovtsev and Anton Stolbunov. “Public-Key Cryptosystem Based on Isogenies”. In: IACR Cryptology ePrint Archive 2006 (2006), p. 145. url: http://eprint.iacr.org/2006/145. [44] Benjamin Smith. “The Q-curve Construction for Endomorphism-Accelerated Elliptic Curves”. In: Journal of Cryptology 29.4 (2016), pp. 806–832. doi: 10.1007/s00145-015-9210-8. [45] Anton Stolbunov. “Reductionist Security Arguments for Public-Key Cryptographic Schemes Based on Group Action”. In: Norsk informasjonssikkerhetskonferanse (NISK). Ed. by Stig F. Mjølsnes. 2009. [46] Anton Stolbunov. “Constructing public-key cryptographic schemes based on class group action on a set of isogenous elliptic curves”. In: Advances in Mathematics of Communications 4.2 (2010). [47] Andrew V. Sutherland. “Identifying supersingular elliptic curves”. In: LMS Journal of Computation and Mathematics 15 (2012), pp. 317–325. doi: 10.1112/S1461157012001106.