Rational isogenies from irrational endomorphisms (Q2119023)

Isogeny-based cryptography relies on the hardness of computing an isogeny between two isogenous elliptic curves over a finite field \(\mathbb{F}_q\). The currently most efficient cryptosystems rely on supersingular curves and can be broadly classified into two families, known as SIDH (Supersingular-Isogeny Diffie-Hellman) and CSIDH (Commutative SIDH), depending on which supersingular elliptic curves and connecting isogenies are being used. In the paper under review, the authors succeed to reduce the security of the CSIDH cryptosystem to the problem of computing endomorphism rings of supersingular elliptic curves. They provide a polynomial-time algorithm to compute a connecting \(\mathcal{O}\)-ideal between two supersingular elliptic curves over \(\mathbb{F}_p\) with a common \(\mathbb{F}_p\)-endomorphism ring \(\mathcal{O}\), given a description of their full endomorphism rings. Furthermore, it is advised to not use any supersingular elliptic curve which is constructed by the complex-multiplication method as a building block for a hash function in the supersingular isogeny graph. For the entire collection see [Zbl 1482.94003].