We study cryptosystems based on supersingular isogenies. This is an active area of research in post-quantum cryptography. Our first contribution is to give a very powerful active attack on the supersingular isogeny encryption scheme. This attack can only be prevented by using a (relatively expensive) countermeasure. Our second contribution is to show that the security of all schemes of this typ...

We present an attack on SIDH utilising isogenies between polarized products of two supersingular elliptic curves. In the case arbitrary starting curve, our (discovered independently from [8]) has subexponential complexity, thus significantly reducing security and SIKE. When endomorphism ring curve is known, (here derived polynomial-time complexity assuming generalised Riemann hypothesis. Our ap...

We describe an algorithm that we used to compute the q-expansions of all weight 2 cusp forms prime level at most $$2,\!000,\!000$$ and dimension 6. also present verify there was only one form 7 or more per Atkin-Lehner eigenspace for levels between $$10,\!000$$ $$1,\!000,\!000$$ . Our is based on Mestre’s Méthode des Graphes, involves supersingular isogeny graphs Wiedemann’s finding minimal pol...

On an elliptic curve, the degree of an isogeny corresponds essentially to the degrees of the polynomial expressions involved in its application. The multiplication by ` map [`] has degree `, therefore the complexity to directly evaluate [`](P ) is O(`). For a small prime ` (= 2, 3) such that the additive binary representation provides no better performance, this represents the true cost of appl...

An isogeny between elliptic curves is an algebraic morphism which is a group homomorphism. Many applications in cryptography require evaluating large degree isogenies between elliptic curves efficiently. For ordinary curves of the same endomorphism ring, the previous best known algorithm has a worst case running time which is exponential in the length of the input. In this paper we show this pr...

Addition chain calculations play a critical role in determining the e ciency of cryptosystems based on isogenies on elliptic curves. However, nding a minimal length addition chain is not easy; a generalized version of the problem, in which one must nd a chain that simultaneously forms each of a sequence of values, is NP-complete. For the special primes used in such cryptosystems, nding fast add...

We present a generalization to genus 2 of the probabilistic algorithm of Sutherland for computing Hilbert class polynomials. The improvement over the Bröker-Gruenewald-Lauter algorithm for the genus 2 case is that we do not need to find a curve in the isogeny class whose endomorphism ring is the maximal order; rather, we present a probabilistic algorithm for “going up” to a maximal curve (a cur...

We provide a simple method of constructing isogeny classes of abelian varieties over certain fields k such that no variety in the isogeny class has a principal polarization. In particular, given a field k, a Galois extension l of k of odd prime degree p, and an elliptic curve E over k that has no complex multiplication over k and that has no k-defined p-isogenies to another elliptic curve, we c...