When studying proposed isogeny-based cryptosystems, several computational problems naturally appear: some are upper bounds for the security of the system (if one can solve the problem, then one can break the cryptosystem), some are lower bounds (if one can break the cryptosystem, then one can solve the problem). We would therefore like to understand the relative difficulty of these problems, ideally showing that they are all equivalent. I will explain the proof of one such equivalence, between the supersingular Endomorphism Ring problem (given a supersingular elliptic curve, find all its endomorphisms) and the supersingular One Endomorphism problem (given a supersingular elliptic curve, find one non-scalar endomorphism). The proof uses properties of fast equidistribution in isogeny graphs of supersingular elliptic curves equipped with extra structure, which we prove by going via quaternion algebras and modular forms. This is joint work with Benjamin Wesolowski.
| © MPI f. Mathematik, Bonn | Impressum & Datenschutz |
English
Deutsch