SuperSolver: accelerating the Delfs-Galbraith algorithm with fast subfield root detection
We give a new algorithm for finding an isogeny from any given supersingular elliptic curve to a subfield elliptic curve, which is the bottleneck step of the Delfs-Galbraith algorithm for the general supersingular isogeny problem. Our core ingredient is a novel method of rapidly determining whether a polynomial has any roots in a subfield, while crucially avoiding expensive root-finding algorithms. In the special case when this polynomial is the ell-th modular polynomial evaluated at a supersingular j-invariant, this provides a means of efficiently determining whether there is an ell-isogeny connecting the corresponding elliptic curve to a subfield curve. Together with the traditional Delfs-Galbraith walk, inspecting many ell-isogenous neighbours in this way allows us to search through a larger proportion of the supersingular set per unit of time. Though the asymptotic complexity of our improved algorithm remains unchanged from that of the original Delfs-Galbraith algorithm, our theoretical analysis and practical implementation both show a significant reduction in the runtime of the subfield search. This sheds new light on the concrete hardness of the general supersingular isogeny problem, the foundational problem underlying isogeny-based cryptography.
Accelerating the Delfs-Galbraith algorithm with fast subfield root detection
In this talk, we discuss the general supersingular isogeny problem, the foundational hardness assumption underpinning isogeny-based cryptography. We implement and optimize the best attack against this problem – the Delfs-Galbraith algorithm – to explicitly determine its concrete complexity. We then develop an improved algorithm that employs a novel method of rapidly determining whether a polynomial has any roots in a subfield. Our improved attack decreases the concrete complexity by a factor of at least 4, an advantage that increases as the parameters (i.e., the underlying prime p) grow. As a result, we shed new light on the concrete hardness of the general supersingular isogeny problem, which has immediate implications on the bit-security of schemes like B-SIDH and SQISign for which Delfs–Galbraith is the best-known classical…