Thesis 437

ARENBERG DOCTORAL SCHOOL
Faculty of Engineering Science
Aspects of elliptic and

hyperelliptic curve
isogeny-based cryptography
Thomas Decru
Supervisors: Dissertation presented in partial

Prof. dr. ir. F. Vercauteren fulfillment of the requirements for the
Dr. W. Castryck degree of Doctor of Engineering
Science (PhD): Electrical Engineering
June 2022
Aspects of elliptic and hyperelliptic curve
isogeny-based cryptography
Thomas DECRU
Examination committee: Dissertation presented in partial

Prof. dr. ir. A. Bultheel, chair fulfillment of the requirements for
Prof. dr. ir. F. Vercauteren, supervisor the degree of Doctor of Engineering
Dr. W. Castryck, supervisor Science (PhD): Electrical Engineer-
Prof. dr. N. Smart ing
Prof. dr. W. Veys
Prof. dr. C. Petit
(ULB, Belgium)
Dr. C. Martindale
(University of Bristol, United Kingdom)
June 2022
© 2022 KU Leuven – Faculty of Engineering Science
Uitgegeven in eigen beheer, Thomas Decru, Kasteelpark Arenberg 10/2452, B-3001 Leuven (Belgium)
Alle rechten voorbehouden. Niets uit deze uitgave mag worden vermenigvuldigd en/of openbaar gemaakt worden
door middel van druk, fotokopie, microfilm, elektronisch of op welke andere wijze ook zonder voorafgaande
schriftelijke toestemming van de uitgever.
All rights reserved. No part of the publication may be reproduced in any form by print, photoprint, microfilm,
electronic or any other means without written permission from the publisher.
Preface
What a long strange trip it’s been! Starting out uni at age 25 isn’t exactly a
common occurrence around here, but I have not regretted my decision for one
second. I had the privilege of learning lots of intriguing things, meeting dozens
of interesting people and visiting amazing locations.
First of all I would like to thank my supervisors Fré and Wouter. They were
around whenever I needed them, but also gave me the freedom to pursue my
own interests. I would also like to thank my other co-authors Lorenz Panny
and Ben Smith, in alphabetical order, as is standard in our field.1 There were
numerous other cryptographers and mathematicians with whom I did not have
the honor of co-authoring a paper, but they nonetheless helped me reach where
I am today, so thank you to them as well.
Cosic is an amazing research group, something which should absolutely not be
taken for granted. People from all branches of cryptography are gathered, and
it’s nigh impossible to want to learn more about a particular subject without a
colleague being ready to teach you the ins and outs. COVID-19 has put a bit
of a damper on this the last two years (I really do miss the Friday lunches in
the party room), but hopefully things return to normal soon.
Outside of academia I would also like to thank my family and friends. In
particular my parents who always supported me, no matter how obscure my
life decisions seemed (“Professional poker player? Are you sure?”). My wife
Laurence, who can read me better than I will ever understand myself. And last
but certainly not least, my stepdaughter Mila, who can conjure a smile on my
face any day of the week, regardless of my mood.
Thank you. All of you.
1 And as Lorenz would have wanted, with an explanatory link as to why it is standard in
our field: https://www.ams.org/profession/leaders/CultureStatement04.pdf
i
Abstract
All currently-used public-key cryptographic protocols may be deemed worthless

in the future with the possible advent of sufficiently large quantum computers.
The cryptographic community at large has been looking for alternative schemes
that can withstand attacks from both classical and quantum computers.
Inherently, there are only a handful of underlying mathematical concepts that
offer this type of security while still being practical. In this thesis, we will
focus on the isogeny-based cryptographic protocols. We will start with a self-
contained background of isogeny-based cryptography, where the focus will be on
the computational aspects. Next, we will make contributions to the following
two objectives.
Speed. The majority of isogeny-based protocols have the advantage of very
compact keys, but this comes at the cost of being relatively slow. In comparison
with other schemes that are assumed to be safe from quantum attacks, the
isogeny-based ones are typically at least an order of magnitude slower. We
start by speeding up the SeaSign signature scheme by a factor of 4 to 66,
depending on the parameter selection. Then, we change the mathematical setting
underlying CSIDH slightly such that fast 2-isogenies can be used, resulting in
a speed-up of about 6% for the 128-bit quantum security level. Finally, we
introduce the concept of radical isogenies, which from an arithmetic point of
view mimics these fast 2-isogenies but now allows us to use similar computations
on isogenies of somewhat larger prime degrees. The speed-up over the initial
CSIDH implementation is roughly 19% on the 128-bit security level.
Higher-dimensional isogeny-based cryptography. In the past four
decades, higher-dimensional variants of elliptic curves were studied to see
if they could offer any benefit in the classical elliptic-curve cryptography setting.
The answer to this question was neutral to negative, but there is no fundamental
reason to assume that the same holds for isogeny-based cryptography. We fix
the genus-2 variant of the CGL hash function based on (2, 2)-isogenies, of which
was discovered that it has many collisions for any input. Assuming we have
iii
iv ABSTRACT
access to three parallel cores, this variant can hash a message at roughly three
times the speed as the original CGL hash function. Finally, we also generalize
the concept of radical isogenies to higher dimensions, which are then called
multiradical isogenies. This allows us to use efficient (3, 3)-isogenies in a new
variant of the CGL hash function, which outperforms our version based on
(2, 2)-isogenies by a factor of nine on a single core.
Beknopte samenvatting
Alle hedendaagse cryptografische protocollen gebaseerd op publieke sleutels

kunnen in de toekomst waardeloos geacht worden met de mogelijke opkomst
van voldoende grote quantumcomputers. De cryptografische gemeenschap is
op zoek gegaan naar alternatieve schema’s die aanvallen kunnen weerstaan
van zowel klassieke als quantumcomputers. Inherent zijn er slechts een
handvol wiskundige concepten die dit soort beveiliging kunnen aanbieden en die
daarbovenop ook praktisch zijn. In deze thesis zullen we focussen op isogenie-
gebaseerde cryptografische protocollen. We beginnen met een op zichzelf staande
achtergrond van isogenie-gebaseerde cryptografie, waar de focus zal liggen op de
computationele aspecten. Daarna zullen we bijdragen leveren met betrekking
tot de volgende twee doelstellingen.
Snelheid. De meerderheid van isogenie-gebaseerde protocollen genieten het
voordeel van compacte sleutels, maar dit komt ten koste van hun snelheid.
In vergelijking met andere schema’s die geacht worden veilig te zijn tegen
quantumaanvallen, zijn de isogenie-gebaseerde typisch een grootteorde trager.
We beginnen met de SeaSign handtekening te versnellen met een factor 4 tot
66, afhankelijk van de parameterkeuze. Daarna veranderen we de wiskundige
omgeving van CSIDH zodat snelle 2-isogenieën gebruikt kunnen worden, wat
resulteert in een versnelling van ongeveer 6% op het 128-bit veiligheidsniveau.
Tenslotte introduceren we het concept van radicale isogenieën, die in rekenkundig
opzicht de snelle 2-isogenieën nabootsen, maar ons nu toelaten gelijkaardige
berekeningen te gebruiken op isogenieën van iets grotere priemgraad. De
snelheidswinst ten opzichte van de oorspronkelijke implementatie van CSIDH is
ongeveer 19% op het 128-bit veiligheidsniveau.
Isogenie-gebaseerde cryptografie in hogere dimensies. In de laatste
vier decennia werden hoger dimensionale varianten van elliptische krommen
bestudeerd om te onderzoeken of ze voordelen boden in het klassieke gebied
van cryptografie gebaseerd op elliptische krommen. Het antwoord op deze
vraag was neutraal tot negatief, maar er is geen fundamentele reden om aan te
v
vi BEKNOPTE SAMENVATTING
nemen dat dit ook zo is voor isogenie-gebaseerde cryptografie. We herstellen de

variant van de CGL hashfunctie in geslacht twee gebaseerd op (2, 2)-isogenieën,
waarvan ontdekt werd dat ze veel collisies bevatte voor eender welke invoer.
Als we veronderstellen toegang te hebben tot drie kernen, kan deze variant
een boodschap ongeveer drie keer zo snel hashen als de oorspronkelijke CGL
hashfunctie. Tenslotte generaliseren we het concept van radicale isogenieën naar
hogere dimensies, die daar multiradicale isogenieën genoemd worden. Dit laat
ons toe om efficiënte (3, 3)-isogenieën te gebruiken in een nieuwe variant van de
CGL hashfunctie, die onze vorige versie gebaseerd op (2, 2)-isogenieën overtreft
met een factor negen op één kern.
List of Abbreviations
B-SIDH Supersingular Isogeny Diffie–Hellman using twisted torsion. 45
CGL Charles–Goren–Lauter. iii, iv, vi, 9, 16, 17, 26, 30, 34, 38, 60, 61
CSI-FiSh Commutative Supersingular Isogeny-based Fiat–Shamir. 9, 58
CSIDH Commutative Supersingular Isogeny Diffie–Hellman. iii, v, xiii, 9, 11,
13, 15, 31, 34, 39, 45, 57–59
CSURF CSIDH on the surface. xi, 59, 119
ECDH Elliptic Curve Diffie–Hellman. 6–8

ECDLP Elliptic Curve Discrete Logarithm Problem. 6–8, 12, 13
ECDSA Elliptic Curve Digital Signature Algorithm. 6
ECIES Elliptic Curve Integrated Encryption Scheme. 6
NIST National Institute of Standards and Technology. xv, 7, 9–14, 30
RSA Rivest–Shamir–Adleman. 7, 8, 12
SeaSign CSIDH-based Signature. iii, 9, 15

SIDH Supersingular Isogeny Diffie–Hellman. xiii, 9–11, 13, 30, 31, 34, 54, 58,
60
SIKE Supersingular Isogeny Key Exchange. 9–14, 30
SQISign Short Quaternion and Isogeny Signature. 9, 11, 58
TLS Transport Layer Security. 7
vii
Contents
Abstract iii
Beknopte samenvatting v
List of Abbreviations vii
Contents ix
List of Figures xiii
List of Tables xv
Part I Isogeny-based cryptography 1
Chapter 1: Introduction 3
1.1 The history of elliptic curve cryptography . . . . . . . . . . . . 4
1.2 Post-quantum cryptography . . . . . . . . . . . . . . . . . . . . 7
1.3 Strengths & weaknesses of isogeny-based cryptography . . . . . 10
1.4 Research problems and overview of the thesis . . . . . . . . . . 14
Chapter 2: Preliminaries 19
2.1 Mathematical background . . . . . . . . . . . . . . . . . . . . . 20
ix
x CONTENTS
2.1.1 Abelian varieties . . . . . . . . . . . . . . . . . . . . . . 20

2.1.2 Isogenies . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.1.3 Superspeciality . . . . . . . . . . . . . . . . . . . . . . . 24
2.2 Cryptographic background . . . . . . . . . . . . . . . . . . . . . 26
2.2.1 Charles–Goren–Lauter hash function . . . . . . . . . . . 26
2.2.2 Supersingular Isogeny Diffie–Hellman . . . . . . . . . . 29
2.2.3 Commutative Supersingular Isogeny Diffie–Hellman . . 31
2.3 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Chapter 3: Isogenies between elliptic curves 35

3.1 Kernel, division and modular polynomials . . . . . . . . . . . . 36
3.2 Vélu’s formulae . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
√
3.3 élu’s square-root formulae . . . . . . . . . . . . . . . . . . . . 42
3.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Chapter 4: (N, N )-isogenies between two-dimensional abelian vari-

eties 47
4.1 Isogenies between products of elliptic curves . . . . . . . . . . . 48
4.2 Split Jacobians and glueing of elliptic curves . . . . . . . . . . . 49
4.3 Richelot isogenies . . . . . . . . . . . . . . . . . . . . . . . . . . 52
4.4 (3,3)-isogenies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
4.5 (`, `)-isogenies from theta functions . . . . . . . . . . . . . . . . 55
4.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Chapter 5: Concluding remarks and summary of contributions 57
Bibliography 63
CONTENTS xi
Part II Publications 73
Chapter 6: SeaSign 2.0 75
Chapter 7: Superspecial (2,2)-hash functions 91
Chapter 8: CSURF 119
Chapter 9: Radical isogenies 139
Chapter 10: Multiradical isogenies and superspecial (3,3)-hash func-

tions 169
Curriculum vitae 207

List of Figures
1.1 Illustration of the elliptic curve group law . . . . . . . . . . . . 5
2.1 Supersingular 2-isogeny graph in the SIDH setting over F2772 . 27

2.2 Supersingular isogeny graph in the CSIDH setting over F659 with
ì ∈ {3, 5, 11} . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
xiii
List of Tables
1.1 Key size comparison of NIST’s Round 3 candidates for post-

quantum standardization . . . . . . . . . . . . . . . . . . . . . 12
1.2 Speed comparison of NIST’s Round 3 candidates for post-
quantum standardization . . . . . . . . . . . . . . . . . . . . . 14
xv
Part I
Isogeny-based cryptography
1
2
Chapter 1
Introduction
It is my intent to show that

elliptic curves have a rich enough
arithmetic structure so that they
will provide a fertile ground for
planting the seeds of cryptography
Victor S. Miller
Elliptic curves have been a well-studied area of mathematics since the nineteenth
century, with applications such as pseudo-random number generators and an
elliptic curve-based integer-factorization algorithm. Elliptic curves are also at
the basis of the majority of contemporary public key cryptographic protocols,
and we will take a closer look at the most important contributions in this area in
Section 1.1. With the recent rise of research into quantum computers however,
many of the traditional cryptographic protocols may become vulnerable to a
completely distinct set of attacks in the form of quantum algorithms. This will
be the topic of discussion in Section 1.2, where a new method of using elliptic
curves in cryptography will also be introduced, based on isogenies between
elliptic curves. These fairly recently developed cryptographic schemes come
with their own advantages and disadvantages, of which we will discuss the most
prominent ones in Section 1.3. We will end this chapter in Section 1.4 by posing
the two most significant research questions this thesis will address in the domain
of isogeny-based cryptography.
3
4 INTRODUCTION
1.1 The history of elliptic curve cryptography
In 1976, Diffie and Hellman published one of the most influential papers of
modern day cryptography [35]. This protocol has been labeled the Diffie-Hellman
key exchange and it works as follows.
Assume Alice and Bob are two parties who want to agree on some sort of secret,
but they only have access to a channel that may be insecure. First, they can
publicly agree on a finite cyclic group (G, ·) with generator g. Next, they both
generate a random integer, say a for Alice and b for Bob, where both integers
are at most the group order of G. They now separately calculate g a and g b and
pass these to one another over the possibly-insecure channel. Alice can now
compute (g b )a and Bob can compute (g a )b , which both equal g ab and can serve
as their shared secret. An illustrative diagram is shown below.
ga
g (g a )b = (g b )a
gb
Assuming the channel is insecure, an eavesdropper Eve will have access to at
least G, g, g a and g b , but also possibly extra information such as the order of
G. The question then boils down to: in which groups is this information not
sufficient for Eve to also compute the secret g ab ? In certain groups, knowledge
of both g and g a is enough to compute a, i.e. the equivalent of a (discrete)
logarithm computation in G. In certain groups such as the multiplicative group
of integers modulo a prime p, i.e. Z× p , this is not necessarily the case. But even
in this instance, a necessary – but not sufficient – condition is that p needs to
be large enough. Otherwise, Eve could just find the secret a by brute force
computing all possible powers of g until a match with g a is found. In 1985,
Koblitz and Miller independently suggested the use of elliptic curves in this
Diffie–Hellman key exchange [55, 60].
An elliptic curve E is a nonsingular projective curve of genus one over a certain
field K, together with a distinguished point on that curve defined over K. In
its most general setting, any such curve E is isomorphic to a curve defined
by an affine equation of the form y 2 + a1 xy + a3 y = x3 + a2 x2 + a4 x + a6 ,
THE HISTORY OF ELLIPTIC CURVE CRYPTOGRAPHY 5
y E y E
4 4
−2P
P
Q
2 −(P + Q) 2
P
x x
−4 −2 2 4 −4 −2 2 4
−2 −2
P +Q
2P
−4 −4
(a) Adding two generic points P and (b) Adding a generic point P to itself
Q on an elliptic curve E. on an elliptic curve E.
Figure 1.1: Illustration of the elliptic curve group law over the real field with
the chord-and-tangent method.
where a1 , a2 , a3 , a4 , a6 ∈ K, together with one point at infinity. This equation

is called the long Weierstraß form of an elliptic curve. Assuming the field K
does not have characteristic two or three, any such curve E is also isomorphic
to a curve given by a short Weierstraß equation y 2 = x3 + Ax + B, where again
the distinguished point is a single point at infinity.
Turning the set of points of an elliptic curve E into a group is done with the
chord-and-tangent method, which is illustrated in Figure 1.1. Let P and Q be
two generic points on an elliptic curve E. In order to find their sum P + Q,
one first draws a line through P and Q and finds the third intersection point
of this line with E. This intersection point is then reflected around the x-axis
and the resulting point is P + Q, see Subfigure 1.1a. Adding a generic point
to itself is done by first drawing the tangent line of this point at E, finding
the third point of intersection of this line with E, before finally reflecting that
point around the x-axis; see Subfigure 1.1b. Some nongeneric cases need also
be considered, such as the point at infinity ∞ serving as the neutral element,
and inverting a point P to −P is reflecting that point around the x-axis. The
group operation is denoted by a + sign and successive additions are written as
traditional multiplications, i.e. kP = P + P + . . . + P . This operation is called
| {z }
k terms
the scalar multiplication (of a point) on an elliptic curve.
Proving that this construction actually yields a well-defined group law on an
6 INTRODUCTION
elliptic curve takes a little bit of mathematical machinery. For a proof on an

undergraduate level, see for example the book by Silverman and Tate [83]. For
a more conceptual exposition, we refer to Silverman’s second book about elliptic
curves [82], which, combined with his third and most advanced book [81], are
typically seen as staple references regarding elliptic curves.
Using the group of rational points on elliptic curves over a finite field Fq in
the Diffie–Hellman setting is called Elliptic Curve Diffie–Hellman (ECDH).
The underlying hardness assumption is the Elliptic Curve Discrete Logarithm
Problem (ECDLP): given the Fq -rational points P and kP on an elliptic curve E
over Fq , it is computationally hard to find k.1 Note that the word logarithm in
the description is due to the analogon with the multiplicative group of integers
modulo a prime p. There is no general method to solve the ECDLP in polynomial
time, although caution needs to be had with picking both the field Fq , as well
as the elliptic curve E. If q is a nonprime power of two for example, the curve
may be vulnerable to an attack based on Weil descent [45]. Alternatively, if the
number of Fq -rational points on E is exactly q, one can attack the ECDLP by
mapping the points of E to the additive group of Fq [84]. Additionally, one needs
to be careful with side-channel attacks and possible backdoors, although these
concepts are not limited to just elliptic curves. Taking all known exceptions in
mind, only generic attacks such as Pollard’s rho attack [71] work against the
√
ECDLP, of which the best have time complexity O( pi ), where pi is the largest
prime factor of |E(Fq )|. This implies that in order to have 128 bits of security,
we will need a curve with roughly 2256 points, which occurs when q ≈ 2256 .
Apart from ECDH, a variety of other cryptographic protocols based on the
ECDLP were discovered, such as the Elliptic Curve Digital Signature Algorithm
(ECDSA) and the Elliptic Curve Integrated Encryption Scheme (ECIES). In the
wake of these newly-discovered highly-practical applications of elliptic curves,
a lot of research in the decades following Koblitz and Miller’s proposal was
dedicated to optimizing the scalar multiplication on elliptic curves. Given
that inversions over finite fields are costly operations compared to additions,
subtractions and multiplications, affine equations were typically forgone in favor
of projective coordinates. Alternative forms of the short Weierstraß equations
were looked into, to see if it was possible to speed up the scalar multiplications
even more. Two thoroughly-studied representations of elliptic curves are the
(twisted) Edwards curves [7] and the Montgomery curves with the associated
Montgomery ladder [8]. Specific curves were given a name and pushed forward
due to their security and effectiveness of scalar multiplication. Some of these
1 Strictly speaking, solving the ECDLP is a sufficient but not required way of breaking
ECDH. It also suffices to be able to compute (k1 k2 )P from just P, k1 P, k2 P , without needing
to know k1 and k2 explicitly. This last problem is called the Computational Diffie–Hellman
problem.
POST-QUANTUM CRYPTOGRAPHY 7
curves were standardized through government channels, see for example the
Digital Signature Standard document of the National Institute of Standards
and Technology (NIST) from 2013 [64].
The main advantage of elliptic curve-based cryptographic protocols is that they
typically have significantly shorter keys than the alternative schemes. For 128
bits of classical security for example, NIST recommends a 256-bit elliptic curve
versus a 3072-bit RSA modulus [67]. To this day, elliptic curves in cryptography
are still used relentlessly in state-of-the-art technologies, such as for visiting
websites securely through TLS, or as a subprotocol for certain cryptocurrency
computations.
It is worth mentioning that not all elliptic curve cryptographic protocols
have the ECDLP as underlying hardness assumption. Schemes exist where,
through the Weil or Tate pairing on elliptic curves, the security is based on the
discrete logarithm problem in the multiplicative group of a finite field [12, 43].
Additionally, one can consider hyperelliptic curves of arbitrary genus, instead
of elliptic curves, and use similar schemes as the ECDH. A hyperelliptic curve
over a field with characteristic different from two is generically given by an
equation of the form y 2 = f (x), where f (x) is a monic squarefree polynomial
of degree 2g + 1 or 2g + 2, with g the wanted genus (e.g. an elliptic curve is a
hyperelliptic curve of genus one). One can embed the set of points on such a
curve into a group by considering the Jacobian of this curve, where at most g
affine points combined can represent a group element uniquely. This method is
a little more involved than the chord-and-tangent method of elliptic curves but
is nonetheless a well-understood construction (see Example 1 in Section 2.1.1).
Despite good research efforts, these hyperelliptic curves could typically not
compete with elliptic curves in terms of efficiency. Additionally, there was more
uncertainty in terms of security. A significant number of discrete logarithm
problems on Jacobians of hyperelliptic curves of genus three could for example
be translated by isogenies to discrete logarithm problems on abelian varieties
that are Jacobians of nonhyperelliptic curves, which are vulnerable to index
calculus attacks [87].
1.2 Post-quantum cryptography
One of the first mentions of a quantum computer was published in 1980, where
Benioff suggested a theoretical quantum model of the Turing machine [4]. It
was not until 1998 that an actual quantum computer was built [27], although it
only really had 2 qubits (the quantum equivalents to classical bits). Nowadays,
several other quantum computer models have been designed, both in theory
8 INTRODUCTION
and in practice, with companies such as Google and IBM putting a lot of
research into them. In 2019, Google reported a demonstration of a successful
53-qubit quantum computer [46]. In 2020, IBM managed to create a 65-qubit
quantum computer [93], and followed up with the current record of 127 qubits
in 2021 with their Eagle processor [26]. Quantum computers operate under
a completely different set of assumptions and rules than classical computers,
and are susceptible to for example temperature changes and inaccuracies. A
common misconception is that a sufficiently large quantum computer would
be able to outperform any computation on a classical computer. Even though
this is not true, quantum computers are definitely capable of handling certain
specific tasks extremely efficiently.
Unfortunately, integer factorization and the ECDLP are two of those tasks. In
1994, Shor published a paper in which he described a quantum algorithm that
could solve both of these conjectured hard problems in polynomial time on a
quantum computer, an (almost) exponential improvement over the state-of-the-
art attacks by means of a classical computer [80]. Due to physical issues with
quantum computers involving stability and error rates, it is hard to predict
how many qubits it would take exactly to break the current RSA or ECDH
protocols. Physical qubits are prone to producing errors, so typically hundreds
or thousands of them are assembled together with an error-correcting code to
form one logical qubit. It’s even harder to predict when a quantum computer of
a given number of qubits – be it physical or logical – would exist, with skeptics
claiming that we’re not really close to anything groundbreaking in the near
future, if ever, and that an exponential scaling similar to Moore’s law will be
required to ever get anywhere [72, 50].
Despite this doubt in the possible future of quantum computers, the
cryptographic community has started working towards a set of protocols to
replace the ones that fall prey to any of the new quantum algorithms. In some
instances, this was simply digging up an old suggestion that was never popular
nor standardized due to performance issues, such as the McEliece cryptosystem
from 1978 [58]. For elliptic curve-based cryptography, the future looked rather
bleak since not only was a quantum computer able to solve the ECDLP, but also
its hyperelliptic variant as well as any elliptic curve pairing-based cryptographic
protocol.
Couveignes and Rostovtsev-Stolbunov independently discovered a way to use
maps between elliptic curves, called isogenies, to create a new cryptographic
protocol [31, 77]. Despite the mathematical revelation, the protocol never
attracted much attention due to the fact that it was nigh impossible to
find a set of curves with a particular number of points to make the scheme
anywhere near practical. In 2009, Charles, Goren and Lauter published a
paper describing hash functions from expander graphs, where an expander
POST-QUANTUM CRYPTOGRAPHY 9
graph based on isogenies between supersingular elliptic curves could also be

used [23]. This type of hash function is commonly referred to as a CGL hash
function, and will be the topic of discussion of Subsection 2.2.1. In 2011, Jao
and De Feo used to structure of this graph to create a public key exchange
called Supersingular Isogeny Diffie–Hellman (SIDH), which will be discussed
in Subsection 2.2.2. This discovery paved the path for more research into
isogeny-based cryptography. In 2018, Castryck, Lange, Martindale, Panny
and Renes discovered a different isogeny-based public key exchange, which
they labelled Commutative Supersingular Isogeny Diffie–Hellman (CSIDH,
pronounced “sea-side”, see [20] or Subsection 2.2.3). Despite its name, this
protocol is more akin to the scheme of Couveignes and Rostovtsev-Stolbunov,
where the use of supersingular elliptic curves instead of ordinary curves sped
up the computations by several orders of magnitude. Apart from these public
key exchange protocols, many other cryptographic primitives based on isogenies
followed along the way. In the signature department, noteworthy mentions are
SeaSign [32], CSI-FiSh [10] and SQISign [33].
Even though the future of quantum computers is hard to predict, NIST wanted
to incentivize the cryptographic community towards more research into protocols
resistant to quantum algorithms, and initiated a standardization process in
2017 [65]. Their call for submissions ended up with 82 proposals, of which 69
got accepted, split between 45 public key exchange protocols and 19 digital
signature schemes in their Round 1, taken into account that 5 authors withdrew
their own submission. One of these 45 public key exchange protocols was
Supersingular Isogeny Key Encapsulation (SIKE), which is a version of SIDH
combined with a key encapsulation mechanism. These Round 1 candidates got a
lot of attention from the scientific community, with schemes getting broken and
security conjectures being questioned. After some mergers of submissions and
thorough consideration, NIST announced in January 2019 that going forward
in Round 2, only 26 candidates for standardization remained, including SIKE.
Two years and much peer review later, NIST announced that they had most
faith in 4 public key exchange protocols (Classic McEliece, CRYSTALS-KYBER,
NTRU, SABER), as well as 3 signature schemes (CRYSTALS-DILITHIUM,
FALCON, Rainbow). They also announced that 5 public key exchange protocols
(BIKE, FrodoKEM, HQC, NTRU Prime, SIKE) and 3 signature schemes
(GeMSS, Picnic, SPHINCS+) were considered as “alternative candidates” for
standardization. In general, these alternative candidates were considered to
be lacking in certain aspects, but were too good to be discarded and more
clarity with regards to security or better performance could make them viable
in the future [68]. In total, 15 submissions hence remain in Round 3 of NIST’s
post-quantum standardization process. We will discuss some of the advantages
and disadvantages of isogeny-based cryptography in general - and SIKE in
10 INTRODUCTION
particular - in the next section.
1.3 Strengths & weaknesses of isogeny-based cryp-

tography
In 2021, Craig Costello wrote a paper called “The Case for SIKE: A Decade
of the Supersingular Isogeny Problem”, in which he elaborated on ten reasons
why SIKE is a strong contender as a standard in a post-quantum cryptographic
world [30]. Even though his subject of discussion was clearly SIKE and the
underlying SIDH key exchange, most of the talking points can be generalized
to isogeny-based cryptography in general, especially the ones that make use
of the underlying hardness assumption of SIDH. We will elaborate on three of
the most noticeable strengths of isogeny-based cryptography, although I would
highly advise anyone interested to also read [30].
Strength 1. There are a limited number of known attack avenues for SIKE,
and quantum computer attacks are arguably no better than those on classical
computers.
Seven of the nine NIST’s Round 3 candidates for post-quantum public key
exchange standardization are lattice-based. The cryptanalysis for these schemes
is hard, in part due to the more difficult physical setting of quantum computers
(e.g. there needs to be nontrivial communication between a quantum and a
classical computer). The number of quantum algorithms that could attack SIKE
on the other hand is limited, and the attacks are easier to understand. Originally
it was proclaimed that Tani’s claw finding algorithm [91] was the biggest threat
to SIDH, which has time complexity O(p1/6 ) when working with elliptic curves
over the field Fp2 [51]. Later on, it was argued that the best quantum algorithms
against SIKE required more operations than originally assumed, in the order of
Õ(p1/4 ) [52, 53]. This implied that the original SIKE submission to NIST’s post-
quantum standardization process was too conservative, and adjustments with
regards to the security parameters have been submitted in the Round 3 version
of SIKE. It can even be argued that in a significant number of realistic parameter
settings, quantum algorithms are outperformed by classical algorithms, and in
the few cases where they are not, the difference is almost negligible [30, 53].
Strength 2. Elliptic curves have a rich history of being researched in a
cryptographic setting.
From a cryptographic point of view, few concepts have been studied as vigorously
as elliptic curves. This means we have a firm grasp on aspects pertaining to their
strengths and weaknesses. In particular, certain isogeny computations involve
STRENGTHS & WEAKNESSES OF ISOGENY-BASED CRYPTOGRAPHY 11
computing scalar multiplications (see Chapter 3), which have been intensely
studied in the context of side-channel analysis, hence it is already known how
to defend ourselves from this type of attacks properly. Additionally, it is also
the Round 3 candidate of the NIST post-quantum standardization process that
lends itself most naturally to a hybrid type of scheme. By that we mean that
it is not infeasible that public key cryptography will go through a transitory
period, where both classical and post-quantum key exchange would need to be
available before making the final transfer to fully post-quantum cryptographic
protocols. One can use a lot of optimized arithmetic and structure of elliptic
curves both in the classical as in the isogeny-based setting.
Strength 3. Isogeny-based cryptography has the most compact keys of post-
quantum cryptographic protocols.
Elliptic curve-based cryptography was lauded for its compact keys compared
to similar schemes, and isogeny-based cryptography is no different in that
regard. Most cryptographic schemes based on isogenies, including SIKE, have
very small key sizes. For a comparison with the other Round 3 candidates of
NIST’s post-quantum standardization process, see Table 1.1. Similarly, the
isogeny-based signature scheme SQISign is extremely compact, but was only
introduced after NIST’s initial call for submissions so for now it is not considered
for standardization.
Even though many things can be said in favor of isogeny-based cryptography,
it does come with some possible disadvantages as well. To counterbalance the
strengths, we will also discuss three weaknesses of isogeny-based cryptography.
Weakness 1. Unlike SIKE, there is no consensus about the security of CSIDH.
Due to the structure of the isogenies in the CSIDH setting, additional attacks are
possible that do not apply to SIDH or SIKE. This means the discussion about
the quantum security of CSIDH is still far from finished [9, 13, 69]. At this time,
this should not be deemed too big a weakness. Firstly, the scheme has only been
around for 4 years at the time of writing this thesis, which is still in its infancy
when it comes to security estimates and performance optimizations. Secondly,
this is not so different from many of the other post-quantum cryptographic
schemes, where an agreement about the security levels has not been reached
either. Finally, even though CSIDH is not part of the NIST standardization
process, there has been criticism about the terminology used in their call for
papers, because security from quantum computers is inherently more complex
than security from classical computers. As Daniel J. Bernstein says in his blog
post: “I see only two ways that submitters a year from now can possibly be
"confident that the specified security target is met or exceeded": (1) overkill; (2)
overconfidence. Many users will not be satisfied with overkill, and NIST should
12 INTRODUCTION
NIST level 1 NIST level 3 NIST level 5

Classic McEliece 261,120 524,160 1,044,992
CRYSTALS-KYBER 800 1,184 1568
NTRU 699 931 1230
SABER 672 992 1312
BIKE 12,323 24,659 40,973
FrodoKEM 9,616 15,632 21,520
HQC 2,249 4,522 7,245
NTRU Prime 897 1,184 1,847
SIKE 330 462 564
Table 1.1: A comparison of public key sizes for all the Round 3 candidates and
alternative candidates for NIST’s post-quantum standardization process. The
data is displayed in bytes and was obtained from the official submission files
for each scheme, directly from the NIST website [66]. Note that a lot of these
values come with nuance, for example key compression can reduce the public
key size at the cost of requiring more processing time (see Table 1.2 for timings).
The numbers are mostly meant as a rough order of magnitude for the public
key size for each scheme per security level.
not encourage overconfidence.” [5].

Weakness 2. Isogeny-based cryptography is a new area of research with a steep
learning curve.
A significant part of the fundamental security of cryptographic protocols is
based on hardness assumptions such as ECDLP, where the essence is “Given X,
there is no known way to efficiently compute Y.”. Most of these assumptions are
thus merely conjectured, since proving the nonexistence of an efficient algorithm
is typically hard to impossible. The trust of the scientific community relies on a
couple of aspects, and isogeny-based cryptography falls short on some of these.
Perhaps the most significant factor in the belief that certain hardness
assumptions are correct, is the amount of time they have been around
uncontested. The underlying hardness assumption for RSA is the conjecture
that a classical computer can not efficiently factor large integers, which has been
around since the late 1970s. Some progress has been made since then in terms
of software and hardware upgrades, but also more efficient algorithms. Overall,
the assumption still holds for sufficiently large integers, and a similar case can
be made for the ECDLP. On the other hand, some of the submissions to round
1 of the post-quantum standardization process of NIST were broken in mere
STRENGTHS & WEAKNESSES OF ISOGENY-BASED CRYPTOGRAPHY 13
weeks if not days. In terms of isogeny-based cryptography, SIDH has only been
around since 2011 and thus some people feel that not enough time has passed to
truly believe in its underlying hardness assumption. This is illustrated by the
fact that major breakthroughs in isogeny-based cryptography can still occur. In
2021 for example, an √algorithm was published to compute an isogeny of degree `
asymptotically in O( `) finite-field operations (see [6] or Section 3.3), whereas
previously the best algorithms could only do this in O(`). It is not unreasonable
to assume that a groundbreaking new attack on isogeny-based cryptography
is more likely to be discovered than a new highly-efficient integer-factorization
algorithm.
Another factor in the trust of the hardness assumptions is how accessible the
problem is. One could theoretically illustrate to children in elementary school
how integer factorization is significantly harder than integer multiplication.
The ECDLP would need to wait till the final years of high school or even
undergraduate level. Understanding isogeny-based cryptography on a basic
level already takes more effort, especially for a student majoring in computer
science instead of mathematics. In order to understand it on a high enough
level to join the discussion, one would need to understand more advanced
mathematical concepts such as quaternion algebras, Eichler orders, class groups,
etc. This keeps the pool of people who can weigh in on the matter - be it good
or bad for the future of isogeny-based cryptography - smaller than for example
lattice-based cryptography.
Not much can be actively done about these issues. One requires us to wait and
see, whereas for the other we can only hope that the isogeny-based cryptographic
community keeps growing and maturing.
Weakness 3. Isogeny-based cryptography is slower than other post-quantum
cryptographic protocols.
The main drawback of SIKE in NIST’s report for announcing its Round 3
candidates for standardization, was that it is an order of magnitude slower
than lattice- or code-based schemes of similar security. The same holds for
most other isogeny-based cryptographic schemes, including CSIDH. For a
concrete comparison of SIKE with the other Round 3 candidates for NIST’s
standardization process, see Table 1.2. Important to note is that - despite this
disadvantage - NIST still considered SIKE to be strong enough a contender
to label it an alternative candidate. As Costello argued in his plea in favor of
SIKE [30], speed is typically something that over time is the least problematic,
since arithmetic-specific hardware and new algorithms are discovered frequently
for most cryptographic protocols. For example, the well-established formulae by
Vélu to compute isogenies between elliptic curves have recently been improved
by an asymptotic square root factor in terms of computational complexity [6].
14 INTRODUCTION
NIST level 1 NIST level 3 NIST level 5

Classic McEliece 58,213,506 216,174,909 438,680,389
CRYSTALS-KYBER 465,168 709,568 1,050,380
NTRU 292,636 452,464 605,860
SABER 170,092 286,636 435,752
BIKE 3,040,000 8,855,000 -
FrodoKEM 4,994,000 9,794,000 16,450,000
HQC 740,000 1,454,000 2,447,000
NTRU Prime 186,851 250,360 343,071
SIKE 243,743,000 751,606,000 1,259,985,000
Table 1.2: A comparison of the time it takes for all the Round 3 candidates
and alternative candidates for NIST’s post-quantum standardization process
to generate a key, encapsulate and decapsulate it. The data is displayed in
clock cycles and was obtained from the official submission files for each scheme,
directly from the NIST website [66]. Note that a lot of these values come with
nuance, for example key compression can reduce the public key size at the cost
of requiring more processing time (see Table 1.1 for public key sizes). The
numbers are mostly meant as a rough order of magnitude for the timings for
each scheme per security level.
1.4 Research problems and overview of the thesis
With the previous sections in mind, we are now ready to state the two research
problems this thesis will address. Remark that even though some of the topics
will touch upon the security issues of isogeny-based cryptography, we will not
list improving security as a research problem on its own. The reason for this is
that there never was a focus on this aspect and - from a cryptanalysis point of
view - the contributions towards improving security are minimal.
Question 1: How can isogeny-based cryptography be sped up?
Given that one of the main drawbacks of isogeny-based cryptography is its slow
speed, the above question is probably the number one problem to tackle if we
wish to standardize isogeny-based cryptographic protocols. In Chapter 2 we
will give a brief outline of the mathematical and cryptographic background
needed to understand isogeny-based cryptography. In Chapter 3, the most
common state-of-the-art methods to compute isogenies between elliptic curves
are expanded upon.
As far as my own contributions towards this research question go, it is important
RESEARCH PROBLEMS AND OVERVIEW OF THE THESIS 15
to distinguish between different methods of speeding up an isogeny-based

cryptographic protocol. A first way to tackle this is to look at the protocol itself,
and change it without adjusting the mathematical framework. An example of
this is given in Chapter 6, where the SeaSign signature scheme was sped up by
a significant factor. A second way to speed up such a protocol is to slightly
alter the mathematical framework in such a way that the involved computations
are not altered too much, but can be done more efficiently. In Chapter 8, an
example of such a type of speed up is given, by changing the set of elliptic
curves in the CSIDH setting to a new set with slightly different endomorphism
rings. Finally, one can also speed up the arithmetic part of already existing
isogeny-based cryptographic protocols. In Chapter 9, we develop a new way to
efficiently compute isogenies of small degree in the CSIDH setting.
Question 2: In what way can isogeny-based cryptography be
generalized to higher dimensional abelian varieties?
From a mathematical point of view, the above question is definitely interesting
to ask. Apart from this scientific curiosity, these higher dimensional analoga
could lead to similar cryptographic protocols or help us understand the existing
protocols even more, with for example a clearer view of their security or
completely new attacks on them. In Chapter 2, we discuss abelian varieties in
their most general form. The arithmetic involved in these higher dimensional
versions of elliptic curves is quite often a lot more complex, and we will focus
on the state-of-the-art dimension-two formulae in Chapter 4.
My own contributions on this topic can be found in Chapters 7 and 10. In the
former, we expand upon some of the work on trying to translate CGL hash
functions to dimension two by fixing some of the issues that are not present in
the elliptic curve-case. In the latter, the new way to compute isogenies between
elliptic curves from Chapter 9 is generalized to abelian varieties of arbitrary
dimensions.
It is imperative to realize that isogeny-based cryptography is still a fairly new
domain of research in which much more is yet to be discovered. In particular,
answering certain research questions can easily lead to new ones popping up.
In Chapter 5 we will take a closer look at some concluding remarks that can be
made in this matter, as well as giving a summary of my own contributions. We
will end this chapter with a list of my publications and a very brief explanation
of the core ideas behind them.
1. Thomas Decru and Lorenz Panny and Frederik Vercauteren (2019). Faster
SeaSign Signatures Through Improved Rejection Sampling. In Post-
Quantum Cryptography - 10th International Conference, PQCrypto 2019,
16 INTRODUCTION
Chongqing, China, May 8-10, 2019 Revised Selected Papers (pp. 271–285).
Springer.
We speed up the SeaSign isogeny-based signature scheme by one or even
two orders of magnitude, depending on the parameter choices, at the
cost of only roughly doubling the signature size. The main idea is that
the signer is allowed to not answer certain queries if they would leak
information about the private key.
2. Wouter Castryck and Thomas Decru and Benjamin Smith (2020). Hash
functions from superspecial genus-2 curves using Richelot isogenies. J.
Math. Cryptol., 14(1), 268–292.
We fix the collisions in the genus-2 variant of the CGL hash function that
were discovered. In essence, by disallowing certain paths taken in the
isogeny-graph, we can guarantee that the concatenation of (2, 2)-isogenies
results in a (2k , 2k )-isogeny instead of a (4k1 , 2k2 , 2k3 )-isogeny, which was
the cause for the collisions.
3. Wouter Castryck and Thomas Decru (2020). CSIDH on the Surface. In
Post-Quantum Cryptography - 11th International Conference, PQCrypto
2020, Paris, France, April 15-17, 2020, Proceedings (pp. 111–129).
Springer.
We change the curves used in the CSIDH setting to the supersingular
elliptic curves on the surface, i.e. those with endomorphism ring Z[(1 +
√
−p)/2]. This allows the use of very fast 2-isogenies, speeding up the
entire protocol by about 5.68% on the lowest security level.
4. Wouter Castryck and Thomas Decru and Frederik Vercauteren (2020).

Radical Isogenies. In Advances in Cryptology - ASIACRYPT 2020 - 26th
International Conference on the Theory and Application of Cryptology
and Information Security, Daejeon, South Korea, December 7-11, 2020,
Proceedings, Part II (pp. 493–519). Springer.
We develop a new and highly efficient way of computing long chains of
cyclic isogenies of degree N k for small N and large k. The dominating
cost of the arithmetic is taking an N th root, which in the CSIDH setting
amounts to computing a single exponentiation over a prime field, resulting
in a speed-up of about 19% on the lowest security level.
5. Wouter Castryck and Thomas Decru (2021). Multiradical isogenies.
IACR Cryptol. ePrint Arch., 1133. (To appear in AMS Contemporary
Mathematics)
We generalize certain aspects of the radical isogeny formulae to abelian
varieties in higher dimensions. Our main application is a genus-2 variant
RESEARCH PROBLEMS AND OVERVIEW OF THE THESIS 17
of the CGL hash function using radical (3, 3)-isogenies, which outperforms
the (2, 2)-isogeny variant asymptotically by a factor of 9.
Chapter 2
Preliminaries
Algebraic geometry seems to have

acquired the reputation of being
esoteric, exclusive, and very
abstract, with adherents who are
secretly plotting to take over all
the rest of mathematics. In one
respect this last point is accurate.
David Mumford
Isogeny-based cryptography is located on the intersection of algebraic geometry

and cryptographic protocols. In this chapter we elaborate on the necessary
background of both fields. In Section 2.1, the mathematical foundation of
isogenies between superspecial abelian varieties is explained. In Section 2.2
we use these concepts to explain three of the most fundamental isogeny-based
cryptographic schemes. Many of the statements in this chapter are well-known
results that require a lot of machinery to prove. The goal is not to recreate
these proofs, since this would lead us too far down a rabbit hole. Rather, we
will introduce the relevant concepts with the necessary properties and fitting
examples, with appropriate references to more in-depth discussion where needed.
A basic knowledge of algebraic geometry and cryptography is assumed.
19
20 PRELIMINARIES
2.1 Mathematical background
In Subsection 2.1.1, abelian varieties are defined in their most general form.
Subsection 2.1.2 describes isogenies, together with some of their properties.
Finally, in Subsection 2.1.3, we take a closer look at superspecial abelian
varieties, which are the main building blocks of the majority of isogeny-based
cryptographic schemes. Good references for abelian varieties and isogenies
are [61] and [63]. For superspecial abelian varieties, we refer to [15].
2.1.1 Abelian varieties
In general, we consider an algebraic variety A/K over a field K to be projective,

i.e. A/K is a Zariski-closed subset of Pn for some nonnegative integer n. In
practice, the projective part will be omitted if there is no reason for confusion
since it alleviates notation.
Definition 1. An abelian variety A/K over a field K is an algebraic variety

A/K together with morphisms + : A × A → A and − : A → A, as well as a
neutral element 0 ∈ A(K), such that (A(K), +) is a group.
The dimension of an abelian variety is the same as the dimension when considered
as an algebraic variety. The Picard group Pic(A) of an abelian variety A is
the group of Weil divisors up to algebraic equivalence. The group Pic0 (A) is
the subgroup of Weil divisors of Pic(A) which are algebraically equivalent to
zero. The group Pic0 (A) is called the dual abelian variety of A and denoted
A∨ . Let ta be the translation-by-a map, then for every divisor D ∈ Pic0 (A) the
following homomorphism is well-defined:
φD : A → A∨ , a 7→ ta (D) − D.
A polarization of an abelian variety A is a surjective nonzero homomorphism

A → A∨ , with finite kernel that maps 0 to 0, which over K can be written as
φD for some ample divisor D ∈ A. If φD is an isomorphism, the polarization
is said to be principal. We will silently assume that all abelian varieties come
equipped with a principal polarization from here onwards. In practice, a
principal polarization implies that the abelian variety is no longer an ‘abstract’
object only and we can do arithmetic on it by means of equations.
Example 1. Let C/K be a nonsingular curve P of genus g over a field K. A
divisor D on C is a formal sum of the form nP P , where P ∈ C, nP ∈ Z and
only finitely many of the n P are nonzero. The degree of D defined as deg(D) =
nP and Div0 (C) is defined as the set of all divisors of C of degree zero. One
P
MATHEMATICAL BACKGROUND 21
can define addition for divisors in a natural way and provePthat Div0 (C) is
a group. Let f ∈ K(C)∗ be a function and define div(f ) = P ∈C ordP (f )P ,
where ordP (f ) denotes the order of f at P . A divisor that can be written this
way is called a principal divisor and the set of all principal divisors of C, denoted
Princ(C), is a subgroup of Div0 (C). The Jacobian of C is denoted as Jac(C)
and is defined as the quotient group Div0 (C)/Princ(C). This Jacobian can be
given the structure of an abelian variety of dimension g over K.
In Example 1, a divisor class D ∈ Jac(C) over a perfect field K (i.e. K/K is

Galois) is called K-rational if it is fixed under the action of Gal(K/K), i.e.
D ≡ Dσ for every σ ∈ Gal(K/K), where the equivalence needs to be seen as
D − Dσ being a principal divisor associated to some f ∈ K(C)∗ . The set of
points in the formal sum of the representation of a divisor class hence need not
be K-rational for the divisor class to be K-rational.
In the case of an elliptic curve E, the construction of its Jacobian coincides
with the classical chord-and-tangent method to define a group operation on
E. One can thus see abelian varieties as a generalization of elliptic curves to
higher dimensions. In the elliptic curve case however, we will continue to refer
to the well-established notation and terminology of points on a curve instead of
divisors classes in its Jacobian. Slightly more general examples are Jacobians of
hyperelliptic curves.
Example 2. Let C/K be a hyperelliptic genus-g curve over a field K, where K
has at least six elements and char(K) 6= 2. Then - up to K-isomorphism - C can
be written as the zero set of y 2 = f (x), where f is a monic univariate polynomial
of degree 2g + 1. The odd degree of f ensures that all but one of the points of
C are affine and we denote ∞ as the unique point at infinity. Every element
Pg0
D ∈ Jac(C) has a unique representative of the form D = ( i=0 Pi ) − g 0 ∞,
where all Pi are affine points, 0 ≤ g 0 < g, and {P0 , . . . , Pg0 } contains no two
points with equal x-coordinates but different y-coordinates.
Note that arithmetic in Jac(C) is typically not done with formal sums of points.
Pg0
A convenient method to write down a divisor D = ( i=0 Pi ) − g 0 ∞ in the
Jacobian of a hyperelliptic curve is by its Mumford representation. The Mumford
representation of D is a pair of univariate polynomials (u(x), v(x)) such that
Qg0
u(x) = i=0 (x − xi ) and Pi = (xi , v(xi )) ∈ C for all 0 ≤ i ≤ g 0 . Remark that
one can show that a divisor is K-rational iff the Mumford representation is
defined over the ground field, i.e. u, v ∈ K[x]. This conveniently removes the
need to possibly having to define K-rational divisors over extension fields.
All abelian varieties of dimension one are isomorphic to an elliptic curve. In
dimension two, abelian varieties over K are either the product of two elliptic
22 PRELIMINARIES
curves over K or the Jacobian of a hyperelliptic curve of genus 2 over K. In the

latter case they are also called abelian surfaces. Abelian varieties of dimension
three can be classified as Jacobians of hyperelliptic curves of genus 3, Jacobians
of plane quartics, a product of three elliptic curves, or the product of an elliptic
curve and an abelian surface. In dimension four and five, abelian varieties
are always Prym varieties, but not necessarily products of Jacobians anymore.
Other types of abelian varieties exist in higher dimensions but are beyond the
scope of this manuscript (and of much of the current research).
2.1.2 Isogenies
The definition of isogeny is not necessarily restricted to principally polarized

abelian varieties; in particular it also does not require a (principal) polarization.
Definition 2. Let A/K and B/K be abelian varieties. An isogeny ϕ : A → B is
a surjective nonzero morphism with finite kernel that maps the identity element
of A to the identity element of B.
Since an isogeny ϕ : A → B is surjective, there is a morphism K(B) → K(A) of

function fields. This implies that the field extension K(A)/K(B) is well-defined
and the degree of the isogeny ϕ is the degree of this function field extension.
For computational purposes, isogenies are typically decomposed as a chain
of smaller prime (power) degree isogenies. An isogeny ϕ is called separable
(respectively (purely) inseparable) iff K(A)/K(B) is a separable (respectively
(purely) inseparable) field extension. Every isogeny ϕ : A → B can be factorized
as ϕ = ϕ1 ◦ ϕ2 , where ϕ2 : A → C is a separable isogeny and ϕ1 : C → B is a
purely inseparable isogeny. This factorization is unique up to isomorphism, i.e.
if ϕ = ϕ3 ◦ ϕ4 is another such factorization with ϕ4 : A → C 0 , ϕ3 : C 0 → B,
then ϕ4 = ι ◦ ϕ2 and ϕ1 = ϕ3 ◦ ι for some isomorphism ι : C → C 0 .
Example 3. Let A/K be an abelian variety, then [n] : A → A, which maps
D ∈ A to D + D + . . . + D =: [n]D, is an isogeny called the multiplication-by-n
| {z }
n terms
isogeny. This isogeny has degree n2g , with g the dimension of A. Furthermore,
if gcd(n, char(K)) = 1 then [n] is separable.
Example 4. Let A/K be an abelian variety, where K is a finite field with
pk elements. Define π : A → A on the level of points as mapping (X0 : . . . :
k k
Xr ) ∈ Pr to (X0p : . . . : Xrp ) ∈ Pr . Then π induces an isogeny on A called the
Frobenius endomorphism. The degree of π is (pk )g and π is purely inseparable.
For every separable isogeny ϕ : A → B, there exists an isogeny called the

dual isogeny of ϕ, denoted ϕ̂ : B ∨ → A∨ , such that deg ϕ = deg ϕ̂. For a
general construction of the dual isogeny between abelian varieties, one needs
to use the dual abelian varieties, see for example [38, §7]. The dual of the
multiplication-by-n isogeny [n] is simply [n] again. The dual of the Frobenius
endomorphism π is called the Verschiebung and is not necessarily inseparable.
Two abelian varieties are called isogenous if there exists an isogeny between
them, which is an equivalence relation due to the existence of the dual isogeny.
We are mostly interested in separable isogenies for which the kernel has a
specific structure. Define the K-rational N -torsion of an abelian variety A/K
as the subgroup A(K)[N ] = {D ∈ A(K) | N D = 0}, where N ≥ 2 is an integer.
Assuming gcd(char(K), N ) = 1, it can be shown that A(K)[N ] ∼ = (Z/N Z)2g .
We will denote A(K)[N ] as A[N ] and only specify the field over which the
N -torsion is considered if it is critical to the discussion.
The principal polarization on A induces a perfect bilinear and antisymmetric
pairing
∗
eN : A[N ] × A[N ] → µN ⊆ K
called the Weil pairing, where µN is the group of N th roots of unity. Fixing
a primitive N th root of unity ζN ∈ µN , this pairing can be turned into the
symplectic form
h·, ·iN : A[N ] × A[N ] → Z/N Z, (D1 , D2 ) → logζN eN (D1 , D2 ).
A subgroup G ⊆ A[N ] is called isotropic if hD1 , D2 i = 0 for all D1 , D2 ∈ G,

and it is called maximal isotropic if there is no isotropic group G0 ) G. Even
though it is important to fix an N th root of unity for h·, ·i to be well-defined, it
is easy to see that the concept of being isotropic is independent of that choice.
If G is a maximal isotropic subgroup that is the kernel of an isogeny ϕ : A →
A/G, then A/G comes naturally equipped with a principal polarization. A
maximal isotropic subgroup G ⊆ A[N ] is called an (N . . . , N )-subgroup of
| {z }
g times
A, where g is the dimension of A. The isogeny with kernel G is called an
(N . . . , N )-isogeny. In the case of elliptic curves, this type of isogenies are cyclic
| {z }
g times
isogenies generated by a single N -torsion element.
Example 5. Let E/K be an elliptic curve defined by the equation y 2 = (x −

α1 )(x−α2 )(x−α3 ). One can easily verify that E[2] = {(α1 , 0), (α2 , 0), (α3 , 0), ∞},
such that all possible 2-isogenies with domain E are given by the 2-subgroups
{(αi , 0), ∞} for i ∈ {1, 2, 3}.
24 PRELIMINARIES
2.1.3 Superspeciality
The notion of superspecial abelian varieties in the context of isogeny-based

cryptography can be tricky and we will start with the definition of a supersingular
elliptic curve. Remark that there are many equivalent characterizations of
supersingular elliptic curves that can serve as a definition. To avoid confusion
with the definitions up ahead we have chosen the following.
Definition 3. Let E/K be an elliptic curve over a field with char(K) = p > 0.
Then E is called supersingular iff its endomorphism ring over K is a full rank
order in a quaternion algebra.
An elliptic curve that is not supersingular is called ordinary. Up to isomorphism,

all supersingular elliptic curves can be defined with coefficients in Fp2 . In
p
particular, they all have a j-invariant in Fp2 and only about b 12 c of the elements
of Fp2 represent the j-invariant of a supersingular elliptic curve. This implies that
the set of ordinary elliptic curves is dense over Fp , and that supersingular elliptic
curves are “exceptional” in a certain way. It is still an open problem whether
it is possible to efficiently write down the equation of a random supersingular
elliptic curve over a prime field of cryptographic size (e.g. p has 256 bits),
without knowing extra info about that curve such as its endomorphism ring or
an isogeny to an already-known supersingular elliptic curve. We can now define
the following.
Definition 4. Let A/K be an abelian variety over a field with char(K) = p > 0.
Then
1. A is called ordinary iff A[p] = (Z/pZ)g ;

2. A is called very special iff A[p] = 0;
3. A is called supersingular iff – as an unpolarized abelian variety – A is
isogenous to a product of supersingular elliptic curves;
4. A is called superspecial iff – as an unpolarized abelian variety – A is
isomorphic to a product of supersingular elliptic curves.
We will call a curve ordinary, very special, supersingular or superspecial if

its respective Jacobian is. All of these notions are invariant under separable
isogenies, i.e. if a separable isogeny has a domain that is ordinary, very special,
supersingular or superspecial, then its codomain is also respectively ordinary,
very special, supersingular or superspecial. One can show that superspecial
implies supersingular, and that supersingular implies very special. From a
computational point of view, Definition 4 seems rather lackluster, since the lack
of polarization implies we do not have equations to work with, nor could an

algebraic software package easily verify if a given abelian variety is supersingular
or superspecial. Even worse, all unpolarized superspecial abelian varieties for a
given fixed dimension at least two are isomorphic to one another.
Assume from now on that we consider abelian varieties that are Jacobians
of curves, and that we work over a field K = Fpk . A Jacobian Jac(C) is
superspecial iff the Hasse-Witt matrix of C is identically zero. A Jacobian
Jac(C) is supersingular iff all Newton slopes of the characteristic polynomial of
Frobenius are equal to 1/2. A Jacobian Jac(C) is very special iff all Newton
slopes are strictly positive. Alternatively, a Jacobian Jac(C) is very special
(p) (pg−1 )
iff Wp · Wp · . . . · Wp is zero, where Wp is the Hasse-Witt matrix and
exponentiation with (pr ) denotes applying pr -Frobenius on its entries. For even
more different characterizations, we refer to [15, Chapter 2].
Example 6. Consider the hyperelliptic genus-3 curve C/Fp , where p > 7 is a
prime, given by the equation y 2 = x7 − 1. The Hasse-Witt matrix of C is the
3 × 3-matrix over Fp given by Wp = [wij ], where 1 ≤ i, j ≤ 3, and wij is defined
as the (pi − j)th coefficient of (x7 − 1)(p−1)/2 . The rank of the Hasse-Witt matrix
can thus be deduced from pi − j mod 7.
If p ≡ 1 mod 7, then Wp is a full-rank diagonal matrix and hence C will be
ordinary. If p ≡ 6 mod 7 then pi − j ≡ 0 mod 7 does not occur for 1 ≤ i, j ≤ 3,
hence Wp is zero and C is superspecial. In case p ≡ 2, 4 mod 7, only one entry
of Wp is nonzero, and this is respectively w2,3 and w3,2 . In case p ≡ 3, 5 mod 7,
two entries of Wp are nonzero, and they are respectively w1,3 , w2,1 and w1,2 , w3,1 .
In all of the cases p ≡ 2, 3, 4, 5 mod 7 it is immediate that (Wp )3 is zero and
thus that C is at least very special.
To distinguish between the case of supersingular and very special, we note
that the rank of this Hasse-Witt matrix being two is equivalent to the Newton
polygon having slopes 1/3 and 2/3 (see [73]). Hence, C is very special but not
supersingular if p ≡ 2, 4 mod 7. The only other option for the strictly positive
Newton slopes is 1/2, which must coincide with the case where the rank of the
Hasse-Witt matrix is one, so the cases p ≡ 3, 5 mod 7 represent supersingular
curves that are not superspecial.
In the case of genus one, i.e. A is an elliptic curve, the notions of very
special, supersingular and superspecial all coincide. For this reason, a common
characterization for a supersingular elliptic curve is that the curve has no
nontrivial p-torsion. In genus two, very special and supersingular are equivalent
(since strictly positive Newton slopes must necessarily be 1/2), but superspecial is
a stronger notion. One can wonder which of the generalizations of supersingular
elliptic curves would be most suitable when going to more general abelian
26 PRELIMINARIES
varieties. In the case of isogeny-based cryptography, one of the main reasons

for using supersingular elliptic curves is that they have an easy-to-identify
number of points over any field extension, and that they are all defined over
Fp2 . This can be shown to be only true for the strongest of the three notions
in Definition 4, namely the case of superspecial abelian varieties. With this in
mind, it would make more sense to talk about superspecial elliptic curves in the
context of isogeny-based cryptography, but the term supersingular has been well-
established by now. For any higher dimensional isogeny-based cryptographic
protocols though, the most fitting choice is superspecial abelian varieties.
2.2 Cryptographic background
In 2009, Charles, Goren and Lauter constructed a hash function from expander
graphs [23], which will be the topic of Subsection 2.2.1. Two years later, Jao
and De Feo constructed a public key exchange from isogenies that built upon
these same expander graphs [51], and we will take a closer look at this set-up
in Subsection 2.2.2. Finally, in Subsection 2.2.3, we will discuss a different
isogeny-based public key exchange by Castryck, Lange, Martindale, Panny and
Renes [20].
2.2.1 Charles–Goren–Lauter hash function
A cryptographic hash function is a one-way function that maps inputs of

arbitrary size to outputs of fixed size. In particular, one-way implies that given
any output, it is computationally infeasible to find an input that results in this
output. Additionally, it should be computationally infeasible to find two inputs
with the same output (i.e. the hash function should be collision resistant). Hash
functions are important building blocks for many other cryptographic protocols.
We will describe the CGL hash function based on expander graphs constructed
from isogenies between supersingular elliptic curves [23].
Fix a prime p of cryptographic size (e.g. p has 256 bits) and consider the
set V of all supersingular elliptic curves over Fp2 up to isomorphism. Fix a
small prime ` (e.g. ` = 2) and consider the set E of all `-isogenies between
any two elements of V . Then Gp,` = (V, E) is a graph, where the vertices
of Gp,` are isomorphism classes of supersingular elliptic curves and the edges
correspond to the `-isogenies between them. By choosing p ≡ 1 mod 420 we
can avoid multi-edges between the same pair of vertices, and the dual isogeny
imposes a congruence relation which allows us to consider the graph as being
undirected [23].
CRYPTOGRAPHIC BACKGROUND 27
235i+65 22i+60
236i+184 85i+33
244 269i+53
192i+11
271i+172 46i+100 41i+61
8i+29
6i+154
194i+39 231i+238
42i+216
60i+101
240i+27
61
195
217i+4
83i+67
255i+126
37i+193
Figure 2.1: The graph G277,2 , where the defining polynomial of F2772 /F277 is
x2 − 3x + 5 with formal root i. The vertices are labeled with the j-invariants of
the elliptic curves. Remark that there is a loop, as well as a cycle of length two,
which can occur since 277 6≡ 1 mod 420.
p
The graph Gp,` is a connected graph with b 12 c + vertices, where ∈ {0, 1, 2}
depends on the equivalence class of p mod 12; in the case p ≡ 1 mod 12 we have
= 0. Given that every elliptic curve has ` + 1 distinct subgroups of order `,
there are ` + 1 isogenies in the edge set with domain any given supersingular
elliptic curve, making the graph Gp,` an (` + 1)-regular graph. Since Gp,` is
connected and (` + 1)-regular, the largest eigenvalue of its adjacency matrix will
be ` + 1. One can show that√ the second largest eigenvalue (in absolute value)
of this graph is at most 2 `, making Gp,` a Ramanujan graph. A Ramanujan
graph is an optimal type of expander graph, which are sparse graphs that still
exhibit strong connectivity properties. In particular, the diameter of Gp,` is
roughly log(p), and any set of final edges emanating from random walks of length
log(p) in the graph will be indistinguishable from the uniform distribution. A
small example of such graph can be seen in Figure 2.1, which visually illustrates
the strong connectivity.
Turning the graph Gp,` into a hash function can be done as follows for ` =
2. Fix a supersingular elliptic curve E0 from the vertex set as a starting
28 PRELIMINARIES
curve. Of the three 2-isogenies with domain E0 , discard one arbitrarily, but
deterministically. Assume the input of the hash function is an integer m, which
is then converted into bits. Label the two remaining 2-isogenies with domain
E0 deterministically such that they have an order (e.g. lexicographically with
regards to the construction of Fp2 /Fp ). If the least significant bit of m is zero,
we walk along the edge of the first 2-isogeny, and if it is one, we walk along the
edge of the second 2-isogeny. We have now processed the first bit of m and have
arrived at a new elliptic curve E1 . We continue this process until all bits of m
have been processed, keeping in mind to no longer discard one of the outgoing
2-isogenies at random, but to always discard the dual isogeny relative to the
isogeny corresponding to the edge we just walked along. This ensures that we
do not easily backtrack during the walk in our graph, as to avoid collisions in
our hash function. After all bits have been processed, we end up at an elliptic
curve Edlog2 ke and take its j-invariant as output, which is always defined over
Fp2 . Alternatively, note that the output set of j-invariants of supersingular
p
elliptic curves is sparse in Fp2 since there are only b 12 c of them. Hence, one
can use a well-chosen linear congruential function (i.e. a discontinuous piecewise
linear equation) to map them into Fp and only have log(p) output bits.
We will discuss methods to easily compute `-isogenies in Chapter 3. For ` = 2,
the arithmetic is fairly simple and boils down to a square root computation in
Fp2 with a handful of extra arithmetic operations, see Example 5. If one wants
to use a different `, it suffices to change the message m into a base-` number
and proceed accordingly. Note that significant improvements with regards to
speeding up the walk in the graph Gp,` have been made. In [37] for example,
they use supersingular elliptic curves with rational 2r -torsion, allowing batches
of r bits of the message to be processed simultaneously.
The starting curve E0 is public information, so in order to find a preimage of
an output j ∈ Fp2 of the hash function, one would need to find a 2r -isogeny
ϕ : E0 → E(j), where E(j) is an elliptic curve with j-invariant j. Assuming p
is large enough, this is considered a hard problem. In order to find a collision in
the hash function, one would need to find two distinct isogenies ϕ1 : E → E(j)
and ϕ2 : E → E(j) of respective degrees 2r1 and 2r2 . Here, distinct means
that there are no isomorphisms ι1 , ι2 such that ϕ1 = ϕ2 ◦ ι1 or ϕ1 = ι2 ◦ ϕ2 .
Alternatively, one can consider ϕˆ2 ◦ ϕ1 and notice that this problem is equivalent
to finding a nontrivial endomorphism of E0 with a cyclic kernel. Both of these
are considered to be hard problems again, assuming the endomorphism ring of
E0 is not known and p is large enough.
Generalizing the above construction to abelian varieties of dimension at least
two is subtle. Charles, Goren and Lauter have constructed Ramanujan graphs
from isogenies between superspecial abelian varieties in [22], but identifying
and computing the isogenies is computationally complex. Typically, (N, . . . , N )-
isogenies are easier to compute than general isogenies, but constructing a graph
with these edges comes with its own issues. One of the concerns is that such
graphs contain a lot of small cycles, see for example [41]. Another problem is
that defining the edge set, vertex set and undirectedness is not a clear-cut matter,
and can result in graphs that are not expander graphs, regardless of possible
small cycles [40]. Recent work by Aikawa, Tanaka and Yamauchi however,
has shown one can define all these notions in such a way that the graphs are
expander graphs, albeit not Ramanujan [1]. Additionally, the computational
complexity of isogenies in higher dimensions is high, even more so when taking
into account that the domain and codomain may be a different type of abelian
variety.
2.2.2 Supersingular Isogeny Diffie–Hellman
We can use the graphs Gp,` from Subsection 2.2.1 to create an isogeny-based
public key exchange called Supersingular Isogeny Diffie–Hellman. Fix two small
distinct primes À and `B , and a large prime p such that p = èAA èBB ± 1 and
èAA ≈ èBB . Fix a supersingular elliptic curve E0 as starting curve, together
with a basis of the èAA - and èBB -torsion of E0 . Supersingular elliptic curves
over Fp2 can be chosen to have (p ± 1)2 rational points, depending on whether
you work on a curve or its twist, so assuming we choose appropriately, we have
|E0 (Fp2 )| = (èAA èBB )2 . This ensures the torsion we want is rational, and given
that it is free of rank two, we can write E0 [èAA ] = hPA , QA i and E0 [èBB ] =
hPB , QB i for certain PA , QA , PB , QB ∈ E0 (Fp2 ). The public information can
thus be summarized as
(p = èAA èBB ± 1, E0 , PA , QA , PB , QB ).
Assume Alice and Bob want to exchange a key through a public channel
with these parameters. Alice chooses a random integer kA ∈ {0, . . . , èAA − 1},
computes the cyclic èAA -isogeny ϕA : E0 → EA with kernel hPA + kA QA i, as
well as ϕA (PB ) and ϕA (QB ). Mutatis mutandis, Bob chooses a random integer
kB ∈ {0, . . . , èBB − 1}, computes the cyclic èBB -isogeny ϕB : E0 → EB with
kernel hPB + kB QB i, as well as ϕB (PA ) and ϕB (QA ). Alice sends the triple
(EA , ϕA (PB ), ϕA (QB )) to Bob, and Bob sends the triple (EB , ϕB (PA ), ϕB (QA ))
to Alice. Alice now computes the cyclic èAA -isogeny %A : EB → EAB with
kernel hϕB (PA ) + kA ϕB (QA )i, while Bob computes the cyclic èBB -isogeny %B :
EA → EBA with kernel hϕA (PB ) + kB ϕA (QB )i. Both Alice and Bob have now
computed a noncyclic isogeny with domain E0 and kernel hPA + kA QA , PB +
kB QB i, such that EAB ∼ = EBA . With this last piece of information in mind,
Alice and Bob now have a shared private secret key by simply computing the
30 PRELIMINARIES
j-invariant of EAB . See the commutative diagram below for an overview of the
construction.
EA
ϕA %B
E0 EAB ∼
= EBA
ϕB %A
EB
Alice and Bob can only make the above diagram commute by also transferring
the images of their partner’s public torsion points. Indeed, PB + kB QB is not
even a point on the curve EA that Alice sends to Bob, nor does kB have any
particular meaning since there is no way to generate èBB -torsion generators
PB0 , Q0B of EA that are exactly the images of PB and QB under ϕA .
The underlying hardness assumption of SIDH is that, given the public
parameters (p = èAA èBB ± 1, E0 , PA , QA , PB , QB ), as well as EA , EB and
even ϕA (PB ), ϕA (QB ), ϕB (PA ), ϕB (QA ), it is computationally infeasible to
find j(EAB ). In 2016, an adaptive attack was discovered such that Alice and
Bob should not use static keys without a key encapsulation [44], which gave
rise to SIKE [2]. In 2017, Petit showed that èAA ≈ èBB must necessarily hold
or the protocol can be attacked by using the images of torsion points [70].
Apart from this, very little progress has been made at tackling the underlying
hardness assumption. If anything, the originally proposed SIKE parameters for
the NIST post-quantum standardization process were deemed too conservative
and adjusted to become more efficient whilst still keeping the required levels
of security. In June 2021, Microsoft launched two SIKE challenges with even
smaller parameters with bounties of $5,000 and $50,000. At the time of writing
this thesis, only the easiest of the two has been solved [59].
Generalizing the above construction to abelian varieties of dimension greater
than one runs into similar issues as was the case in the generalization of the CGL
hash function from Subsection 2.2.1. In particular, a big hurdle in this instance
is the computational complexity of many of the involved formulae. Even in the
simplest of cases, i.e. using (2, 2)- and (3, 3)-isogenies on abelian varieties of
dimension two, a current state-of-the-art implementation takes approximately
five minutes for a key exchange [41].
2.2.3 Commutative Supersingular Isogeny Diffie–Hellman
As mentioned earlier, CSIDH does not really resemble the construction of SIDH,
despite its name. In particular it does not make use of the graph Gp,` from
Subsection 2.2.1, but still uses isogenies between supersingular elliptic curves.
One of the main differences is that we will work over a prime field Fp instead of
its quadratic extension Fp2 . We will begin by constructing a new graph Hp .
Fix a prime p > 3 of cryptographic size of the form p = 4 · `1 · `2 · . . . · `k · f − 1,
where the ì are distinct small odd primes and f is a cofactor such that p
is prime. Consider a supersingular elliptic curve E0 over Fp . Its Frobenius
√
endomorphism π then satisfies π ◦ π = [−p], such that Z[ −p] can be seen as a
subring of the Fp -rational endomorphisms of E0 . Since p ≡ 3 mod 4, this leaves
√ √
us with two options for Endp (E0 ), namely Z[ −p] or Z[(1 + −p)/2]. In the
former case, E0 is said to be on the floor, whereas in the latter case, E0 is said
to be on the surface. The terminology stems from the volcano-like structure
of the 2-isogeny graph of supersingular elliptic curves over Fp , see [34]. The
vertex set V of our graph Hp consists of all supersingular elliptic curves over
√
Fp that are on the floor, i.e. they all have endomorphism ring Z[ −p]. The
edge set E of Hp then consists of all Fp -rational ì -isogenies between any two
elements of V , with 1 ≤ i ≤ k. An illustrative example of such graph is shown
in Figure 2.2.
Even though a graph constructed this way is also an expander graph, it is
immediately clear that the behavior of the graph Hp is wildly different from the
behavior of Gp,` . Notably, the edges corresponding to Fp -rational ì -isogenies
seem to form cycles on the vertex set V of Hp . This can be explained as follows.
√ √
Let Cl(Z[ −p]) be the ideal-class group of Z[ −p], and [a] the class of an
√ √
invertible ideal a ⊆ Z[ −p]. Identify Z[ −p] with the endomorphism ring of
√
E0 through the isomorphism mapping π to −p. Define a subgroup E0 [a] ⊆ E0
as follows: \
E0 [a] = {P ∈ E0 | φ(P ) = ∞}.
φ∈a
√
It can be shown that Cl(Z[ −p]) acts freely and transitively on the set of
√
supersingular elliptic curves with endomorphism ring Z[ −p], when the action
of [a] is given by mapping E0 to aE0 := E0 /E0 [a], see for example [78]. In
the language of Couveignes, this can be used as a hard homogeneous space for
cryptographic purposes [31].
The tricky part about this set-up is that - ideally - we want to sample elements
√
from Cl(Z[ −p]) uniformly at random to work in this hard homogeneous space.
Note that even if this could be done, computing the class group action of a
uniformly random [a] on an elliptic curve can be difficult if [a] is given as an ideal
32 PRELIMINARIES
Figure 2.2: The graph Hp for p = 659 = 4 · 3 · 5 · 11 − 1 and ì ∈ {3, 5, 11}.

The edges corresponding to the 3- and 11-isogenies form a full cycle of length
33 each. The edges corresponding to 5-isogenies form three disjoint cycles of
length 11.
of large prime norm. Assuming the Riemann hypothesis, every such ideal class
[a], however, can be written as a product of ideal classes of small prime norm. In
√
our setting, it can be shown that ì splits in Z[ −p] for all 1 ≤ i ≤ k. Moreover,
for each ì in this setting the ideal (ì ) splits as (ì , π − 1)(ì , π + 1) =: li l¯i ,
where π is the Frobenius endomorphism. Heuristically, it can be shown that
every ideal class [a] can be written as
[a] = [l1 ]e1 · [l2 ]e2 · . . . · [lk ]ek ,
where ei are integers for all 1 ≤ i ≤ k, and where for each negative exponent
ei one should interpret [li ]ei as [l¯i ]|e1 | . Heuristically, it can also be shown
that “enough” elements of this form with small ei are indistinguishable from
√
uniformly random elements from Cl(Z[ −p]), see [20]. More precisely, we know
√ √
that Cl(Z[ −p]) has approximately p elements, so we can choose a maximum
Qk √
value mi for each integer ei such that −mi ≤ ei ≤ mi and i=1 (2mi + 1) ≈ p.
Since every supersingular elliptic curve in this setting has p + 1 Fp -rational
points, there is an Fp -rational ì -torsion point for all 1 ≤ i ≤ k, and hence the
action of [li ] can be computed rather easily. For the conjugate ideal classes [l¯i ]
we need to find an Fp -rational ì -torsion point on the quadratic twist of the
curve, but a good choice of elliptic curve form makes this part trivial. This
implies we can effectively store and do computations with a set of class group
elements that is indistinguishable from the full class group. For a concrete
CONCLUSION 33
example, take the 511-bit prime p from [20] defined as
p = 4 · |3 · 5 · 7 · 11
{z · . . . · 373} ·587 − 1.
73 first primes
In this instance, we have 74 small odd primes, so by taking |ei | ≤ 5 for all
1 ≤ i ≤ 74 we see that ei can take 11 distinct integer values such that
√
p = 2255.334... ≈ 2255.997... = 1174 .
Turning this hard homogeneous space into a public key exchange can be done
as follows. Alice samples a random integer vector a of length k, with the ith
entry corresponding to ei in the above setting, where −mi ≤ ei ≤ mi for some
predetermined maximum value mi . This integer vector represents an ideal class
[a] in the class group. Similarly, Bob samples a vector b corresponding to an
ideal class [b] in the class group. Alice now computes the action of [a] on the
public starting curve E0 , while Bob computes the action of [b]. Alice and Bob
now exchange the keys aE0 and bE0 . They can now both compute abE0 , which
is equal to baE0 due to the commutativity of the class group. See below for a
schematic overview of the key exchange.
aE0
[a] [b]
E0 abE0 = baE0
[b] [a]
bE0
No research has been done to generalize this construction to abelian varieties of
higher dimension. Assuming no conceptual obstacles, computing Fp -rational
(`, `)-isogenies for primes ` > 3 over fields of cryptographic size involves highly
nontrivial arithmetic which - for now - would render the scheme completely
impractical as we will see in Section 4.5.
2.3 Conclusion
In this chapter we have established a mathematical framework to provide the

basis for isogeny-based cryptography. Isogenies between abelian varieties were
34 PRELIMINARIES
defined in their most general form, of which cyclic `-isogenies between elliptic
curves are the simplest example. Extra attention was given to several types
of exceptional abelian varieties. Superspecial abelian varieties are most fitting
to use in cryptographic protocols, since they have an easy-to-predict number
of points and they can all be defined over Fp2 . Superspecial elliptic curves
are typically referred to as supersingular elliptic curves, which in general is a
different notion, but equivalent in the case of elliptic curves.
Despite there being numerous isogeny-based cryptographic protocols, their
general framework typically falls into one of the two categories which we
discussed. The CGL hash function and SIDH for example work with a graph
where the vertices are Fp2 -isomorphism classes of supersingular elliptic curves,
and the edges are all `-isogenies for a fixed small prime `. CSIDH on the other
hand, works in a graph over Fp where the vertices are Fp -isomorphism classes
of supersingular elliptic curves, and the edges are all Fp -rational ì -isogenies for
many fixed small primes ì . Both of these graphs are expander graphs, which
are sparse graphs with high connectivity.
Chapter 3
Isogenies between elliptic

curves
It is possible to write endlessly on

elliptic curves.
(This is not a threat.)
Serge Lang
In this chapter we will delve into the arithmetic involved in isogeny computations
between elliptic curves. Our main focus will be on separable cyclic isogenies
over finite fields of characteristic different from two and three, but we will
specify where needed. Section 3.1 will elaborate on what form the rational
map of an isogeny has, as well as some commonly-used polynomials related to
isogeny computations. In particular, these polynomials can be used in many
algebraic software packages to compute isogenies. In Section 3.2 we will discuss
a classical result by Vélu to compute isogenies. On input of an elliptic curve
in long Weierstraß form and a point generating the kernel of a cyclic isogeny,
Vélu’s formulae can compute both the codomain curve as well as the image of
any point under the isogeny. Finally, we finish this chapter by expanding upon
a recent breakthrough in isogeny computations in Section 3.3, where Vélu’s
formulae have gained an asymptotic square root factor speed-up in terms of the
number of Fq -operations.
35
36 ISOGENIES BETWEEN ELLIPTIC CURVES
3.1 Kernel, division and modular polynomials
An isogeny ϕ : E → E 0 is a morphism that maps points P ∈ E to points

ϕ(P ) ∈ E 0 . If P = ∞ then ϕ(P ) = ∞ must necessarily hold. Assume that
ϕ(P ) 6= ∞ and that both E and E 0 are given in long Weierstraß form over
K[x, y]. Then generically we want to map a point P = (x, y) to a point
P 0 = (x0 , y 0 ), where x0 and y 0 are both rational expressions in K(x, y). The
following theorem shows what these expressions look like.
Theorem 1. Let E : y 2 + a1 xy + a3 y = x3 + a2 x2 + a4 x + a6 and E 0 :
y 2 + a01 xy + a03 y = x3 + a02 x2 + a04 x + a06 be elliptic curves over K. If ϕ : E → E 0
is a separable isogeny, then there is a rational function ϕ0 (x) and a constant
×
c ∈ K such that

1
ϕ(x, y) = ϕ0 (x), cyϕ00 (x) + (−a01 ϕ0 (x) − a03 + c(a1 x + a3 )ϕ00 (x)) ,
2
where ϕ00 (x) is the formal derivative of ϕ0 (x).
Proof. See for example [42, Theorem 9.7.5].
Knowledge of the x-coordinate of ϕ(P ) already determines its y-coordinate up

to sign, so it is not surprising that the expressions are related by a certain
common function ϕ0 (x). If we furthermore assume that char(K) 6= 2, then up
to isomorphism we can choose a1 = a3 = a01 = a03 = 0 such that the expression
turns into
ϕ(x, y) = (ϕ0 (x), cyϕ00 (x)) .
ϕ1 (x)
Write ϕ0 (x) = ϕ2 (x) , where ϕ1 (x), ϕ2 (x) are univariate polynomials in K[x] that
share no roots in K[x]. Then one can show that deg ϕ = max{deg ϕ1 (x), deg ϕ2 }.
The roots of ϕ2 (x) determine all x-coordinates of points P such that ϕ(P ) = ∞,
i.e. if ϕ2 (x) vanishes on x(P ) then P is in the kernel of ϕ. Note that when P is
in the kernel of an isogeny, kP is necessarily in the kernel as well for all k ∈ Z.
The polynomial ϕ2 (x) can thus be seen as defining a finite subgroup of E that
we quotient out with the isogeny ϕ.
Theorem 2. Let E/K be an elliptic curve over K and G ⊆ E a finite subgroup
that is defined over K. Then there is a unique elliptic curve E 0 = E/G and
an isogeny ϕ : E → E 0 such that ker ϕ = G, where both E 0 and ϕ are defined
over K. The uniqueness of E 0 is up to isomorphism, and ϕ is unique up to
postcomposition with an isomorphism of E 0 or the Frobenius endomorphism of
E0.
KERNEL, DIVISION AND MODULAR POLYNOMIALS 37
Proof. See [42, Theorem 9.6.19].
A separable isogeny ϕ over a perfect field K is K-rational if its kernel is defined

over K, i.e. σ(P ) ∈ ker ϕ for all P ∈ ker ϕ and all σ ∈ Gal(K/K). In practice,
this is equivalent to ϕ2 (x) being defined over K[x] and not over some extension.
This does not imply that the points in the kernel are defined over the ground
field however, as can be seen from the following example.
Example 7. Let E/F29 : y 2 = x3 + 2x + 5 and E 0 /F29 : y 2 = x3 − 9x + 4 be
elliptic curves. Then there exists a 3-isogeny ϕ : E → E 0 with
0 !
x(x2 + 15x − 1)) x(x2 + 15x − 1)

ϕ(x, y) = ,y .
(x − 7)2 (x − 7)2
√ √
The kernel subgroup of ϕ is {∞, (7, 14), (7, − 14)} ⊆ E(F292 ). One can verify
that the two nontrivial points of this subgroup have order 3.
Theorem 2 gives us an alternative way of thinking of (separable) isogenies.

Any separable isogeny can be identified with its kernel, up to some uniqueness
subtleties that typically do not matter from a cryptographic point of view. Given
a finite subgroup G ⊆ E we will talk about the isogeny with kernel G if there is
no need for these uniqueness concerns. Up to multiplicities
Q of the factors, the
polynomial ϕ2 (x) can thus be written as ϕ2 (x) = P ∈G\{∞} (x − x(P )), where
the points are not necessarily defined over the ground field. Algebraic software
packages such as Magma [14] can easily compute the isogeny determined by E
and ϕ2 (x). In Section 3.2 we will give formulae to deduce a cyclic separable
isogeny from just E and a kernel generator. If we want to compute an isogeny
of a certain degree N , it can thus be immensely helpful to find all the N -
torsion of E. The N -torsion subgroup E[N ] ⊆ E is exactly the kernel of the
multiplication-by-N map. The following is a helpful theorem to compute this
map explicitly [82, Exercise 3.6].
Theorem 3. Let E/K : y 2 + a1 xy + a3 y = x3 + a2 x2 + a4 x + a6 be an elliptic
curve and N a nonnegative integer. Then the multiplication-by-N isogeny on E
is given by
φN (x(P )) ωN (x(P ))
NP = , ,
ψN (x(P ))2 ψN (x(P ))3
where
ψ0 = 0,
ψ1 = 1,
ψ2 = 2y + a1 x + a3 ,
ψ3 = 3x4 + b2 x3 + 3b4 x2 + 3b6 x + b8 ,
ψ4
= 2x6 + b2 x5 + 5b4 x4 + 10b6 x3 + 10b8 x2 + (b2 b8 − b4 b6 )x + (b4 b8 − b26 ),
ψ2
3 3
ψ2N +1 = ψN +2 ψN − ψN −1 ψN +1 if N ≥ 2,
ψN 2 2

ψ2N = ψN +2 ψN −1 − ψN −2 ψN +1 if N ≥ 3,
ψ2
2
φN = xψN − ψN +1 ψN −1 ,
1 2

ωN = ψ2N − ψN (a1 φN + a3 ψN ) ,
2ψN
b2 = a21 + 4a2 ,
b4 = 2a4 + a1 a3 ,
b6 = a23 + 4a6 ,
b8 = a21 a6 + 4a2 a6 − a1 a3 a4 + a2 a23 − a24 .
The polynomial ψN of Theorem 3 is called the N -division polynomial of E. They

can easily be computed by an algebraic software package from the recurrence
relation, especially for small N . For all P ∈ E[N ] it holds that ψN (x(P )) = 0.
Note that if N is composite, a P ∈ E that satisfies ψN (x(P )) = 0 does not
necessarily have exact order N . If one is interested in finding the x-coordinate
of points of exact order N , then ψN should first be divided by lcmd|N,d6=N {ψd }.
Example 8. Let E/F29 : y 2 = x3 + 2x + 5 be the elliptic curve of Example 7.
Then the 6-division polynomial is given by
ψ6 = (x + 10)(x + 11)(x − 14)(x − 7)(x − 5)(x2 + x + 12)(x2 + 5x + 2)·
(x2 − 10x + 15)(x2 − 8x + 6)(x2 − 8x − 1)(x2 − 3x − 2)(x2 − x + 4).
If we want to find a kernel generator for a cyclic isogeny of degree 6, we
need to quotient out the factors of ψ2 = (x + 10)(x2 − 10x + 15) as well as
ψ3 = (x − 14)(x − 7)(x2 − 8x − 1). This leaves us with a degree-12 polynomial
ψ6
ψ2 ψ3 of which the roots are the x-coordinates of all points of exact order 6.
In certain cases, we may not be interested in the exact map nor the kernel
subgroup of an isogeny. In the CGL hash function from Subsection 2.2.1 for
example, we are interested in all elliptic curves Ei that are `-isogenous to a
given elliptic curve E for a fixed small prime `. More specifically, we are only
interested in the curves up to isomorphism, thus from the j-invariant j(E) we
want to find the j-invariants j(Ei ).
KERNEL, DIVISION AND MODULAR POLYNOMIALS 39
Definition 5. The polynomial Φ` (X, Y ) ∈ Z[X, Y ], such that Φ` (j(E), j(E 0 )) =

0 for all E and E 0 which can be connected by a cyclic `-isogeny, is called the
(classical) `th modular polynomial.
The proof of the existence and construction of the classical `th modular
polynomial was historically done by the modular j-function over the complex
field. For some more recent results regarding the computation of these
polynomials, we refer to [39].
The `th modular polynomial is a symmetric polynomial in two variables, i.e.
Φ` (X, Y ) = Φ` (Y, X), with degree ` + 1 in both variables. The coefficients of
these polynomials scale up with ` and storing them runs up the memory usage
rather quickly; the constant term for ` = 17 for example is already a 705-bit
integer. There are methods to efficiently compute the `th modular polynomial
modulo some prime p, either globally (i.e. as bivariate polynomial) or locally
(i.e. as univariate polynomial where one of the other variables is replaced by
a known j-invariant already) [21]. More recent work by Sutherland regarding
these polynomials can be found in [89], where he managed to evaluate the `th
modular polynomial for ` = 100, 019.
Example 9. Let E/F29 : y 2 = x3 + 2x + 5 be the elliptic curve of Example 7.
The 3rd modular polynomial in global form over Z[X, Y ] is given by
Φ3 (X, Y ) = X 4 − X 3 Y 3 + 2232X 3 Y 2 − 1069956X 3 Y + 36864000X 3 +

2232X 2 Y 3 + 2587918086X 2 Y 2 + 8900222976000X 2 Y +
452984832000000X 2 − 1069956XY 3 + 8900222976000XY 2 −
770845966336000000XY + 1855425871872000000000X + Y 4 +
36864000Y 3 + 452984832000000Y 2 + 1855425871872000000000Y.
Over F29 [X, Y ] this reduces to
Φ3 (X, Y ) = X 4 − X 3 Y 3 − X 3 Y 2 − X 3 Y + 12X 3 − X 2 Y 3 − 9X 2 Y 2 − 8X 2 Y −
10X 2 − XY 3 − 8XY 2 + 8XY + 6X + Y 4 + 12Y 3 − 10Y 2 + 6Y.
Evaluating Φ3 (X, Y ) at X = j(E) = 2 results in the local polynomial Φ3 (2, Y ) =

(Y + 4)(Y − 2)3 . This means that E is 3-isogenous to an elliptic curve with
j-invariant 25 (which is E 0 from Example 7), and 3-isogenous to an elliptic
curve with j-invariant 2 through 3 distinct isogenies
There are other useful ways in which this modular polynomial can be used.
In the CSIDH setting from Section 2.2.3 for example, every elliptic curve E
is `-isogenous to exactly two other elliptic curves over the prime field Fp for
any odd prime `. Hence the local polynomial Φ` (j(E), Y ) will have exactly
two Fp -rational roots, which can be retrieved relatively efficiently by various

algorithms. Assuming we try to compute a cyclic `k -isogeny by chaining `-
isogenies this way, we only have to make a choice for the first `-isogeny and
keep track of the j-invariant of the previous domain curve to choose the correct
root of Φ` (j(E), Y ) at each subsequent step in the chain, since the dual isogeny
of the previous step must be Fp -rational as well and we have to explicitly not
choose this one.
3.2 Vélu’s formulae
In Section 3.1 we have seen that by using division polynomials, it is relatively

easy to find points of order N on an elliptic curve E/K, especially if N is
small. Alternatively, over a finite field Fq , if we know that the size of the
maximal cyclic subgroup of E(Fq ) is eq , we can simply sample a random point
e
P ∈ E(Fq ), compute Nq P and hope we do not end up with ∞. The smaller
N , the more likely this happens, but even if so, we can just try again with a
different P . The subgroup E[N ] ⊆ E(Fq ) can be generated by (at most) two
Fq -rational generators, so a little trial-and-error should yield the full subgroup
E[N ] relatively quickly. Any nontrivial element of E[N ] can serve as generator
for a cyclic separable N -isogeny. Since such elements are fairly easy to compute
and take little memory to store, they are often used as a representative for an
isogeny in accordance with Theorem 2.
In 1971, Vélu already solved the problem of computing the codomain curve of a
separable isogeny ϕ, given just the domain and the elements of the kernel [92].
These formulae also include a way to compute images of points on E as well.
Theorem 4. Let E/K : y 2 + a1 xy + a3 y = x3 + a2 x2 + a4 x + a6 be an elliptic

curve in long Weierstraß form, and G ⊆ E(K) a finite subgroup. Partition G
as follows:
G = {∞} ∪ G1 ∪ G01 ∪ G2 ,
VÉLU’S FORMULAE 41
where G2 contains the order-2 points of G, and G1 is such that for every P ∈ G1
it holds that −P ∈ G01 . Write S = G1 ∪ G2 and for Q ∈ S define
x
gQ = 3x(Q)2 + 2a2 x(Q) + a4 − a1 y(Q),
y
gQ = −2y(Q) − a1 x(Q) − a3 ,
(
x
y 2 gQ if 2Q = ∞,
uQ = (gQ ) , vQ = x y
2gQ − a1 gQ else,
X X
v= vQ , w = (uQ + x(Q)vQ ),
Q∈S Q∈S
A1 = a1 , A2 = a2 , A3 = a3 ,
A4 = a4 − 5v, A6 = a6 − (a21 + 4a2 )v − 7w.
Then the separable isogeny ϕ with domain E and kernel G has codomain E 0 =
E/G which - up to isomorphism - can be given by the long Weierstraß equation
E 0 /K : y 2 + A1 xy + A3 y = x3 + A2 x2 + A4 x + A6 .
Furthermore, for P ∈ E it holds that

X
x(ϕ(P )) = x(P ) + (x(P + Q) − x(Q)),
Q∈G\{∞}
X
y(ϕ(P )) = y(P ) + (y(P + Q) − y(Q)).
Q∈G\{∞}
Proof. See for example [92] or [42, Theorem 25.1.6].
In Theorem 4, the summations run over all nontrivial elements of G, or roughly

half of them. Either way, the number of arithmetic operations that need to be
performed to compute an isogeny according to Vélu’s formulae is O(|G|) for
a finite subgroup G ⊆ E. Since separable isogenies can be factorized into a
concatenation of cyclic prime-degree isogenies, quite often it can be beneficial
to compute a large-degree isogeny in factorized form. Keep in mind though,
that this comes with a possibly large amount of overhead where points need
to be pushed through. More concretely, if G = hP1 , P2 , . . . , Pr i ⊆ E, with
ord(P1 ) = ` an odd prime, and we want to compute E/hP1 i first, we need to
compute 2P1 , . . . , `−1
2 P1 as well as the images of all r−1 points P2 , . . . , Pr , which
take O(`) arithmetic operations each. For a discussion regarding optimizing the
trade-off between ` and r, see for example [51, Section 4].
Vélu’s formulae can be made easier if we restrict ourselves to fields of
characteristic different from two and three. Throughout the past decades,
research has been devoted to obtain similar (projective or affine) formulae

for other forms of elliptic curves. For analogous formulae for elliptic curves
in Edwards or Huff form, see for example [62]. As mentioned in Section 1.1,
the Montgomery ladder is one of the most efficient ways to compute scalar
multiplications on an elliptic curve. The following is a result from Renes to
compute an isogeny in Vélu-style on the Montgomery form of an elliptic curve.
Theorem 5. Let E/K : y 2 = x3 + ax2 + x be an elliptic curve over a field with
characteristic different from two, where a2 = 6 4. Let ϕ be a separable isogeny
with domain E and kernel G 63 (0, 0). Then - up to isomorphism - the codomain
of ϕ is given by E 0 /K : y 2 = x3 + Ax2 + x, where A = π(a − 3σ) and
Y X 1

π= x(P ), σ = x(P ) − .
x(P )
P ∈G\{∞} P ∈G\{∞}
Furthermore, for a generic point P = (x, y) ∈ E it holds that ϕ(P ) =

(f (x), cyf 0 (x)), where
Y xx(P ) − 1
c2 = π, f (x) = x .
x − x(P )
P ∈G\{∞}
Proof. See [74, Proposition 1].
These formulae are extensively used in the CSIDH protocol, where further
optimizations such as projective coordinates are used [20].
√
3.3 élu’s square-root formulae
With the notation of Theorem 5, assume we are given a subgroup G = hQi ⊆ E

such that the order of Q is an odd integer `. If we then want to compute
the codomain curve E 0 or the image of a point of E under the isogeny ϕ,
a straightforward computational approach would require us to compute kQ
for k ∈ {1, 2, . . . , ` − 1}, and then add or multiply the corresponding rational
expressions. Since ` is assumed odd, it holds that x(kQ) = x(−kQ) such that we
only need to compute `−1 2 scalar multiples. Either way, the number of arithmetic
operations in this computation is of the order O(`). In [6], Bernstein, De Feo,
Leroux and √ Smith developed a new way to efficiently evaluate expressions like
these in Õ( `), which we’ll summarize in this section.1 In essence, a smart
1 Note that the title of this section references the arithmetic complexity of the formulae:
at no point during the computation does one need to compute a square root. Depending on
how the notion of “formulae” is defined, this can also be considered an evaluation scheme
applicable to a wide range of formulae, and not a collection of actual formulae.
√
ÉLU’S SQUARE-ROOT FORMULAE 43
√
choice of Õ( `) elements from {Q, 2Q, . . . , (` − 1)Q} allows us to evaluate the
expression by means of a resultant computation.
Keeping the notation from before, consider the set
S = {1, 3, 5, . . . , ` − 1},
which covers exactly all choices of k such that we need the x-coordinate of
kQ to√evaluate Vélu-style formulae such as those from Theorem 5. Define
b = b ` + 1/2c and b0 = b(` + 1)/4bc (unless b = 0, in which case b0 = 0).
Furthermore, define the sets
I = {2b(2i + 1) | 0 ≤ i < b0 }, J = {2j + 1 | 0 ≤ j < b}.
The pair (I, J) is called an index system of S in [6]. This means that I + J
and I − J are both contained in S, and that the maps I × J → S defined by
(i, j) 7→ i + j and (i, j) 7→ i − j are both injective and have disjoint images.
Writing I ± J for the union of I + J and I − J, we see that
S = (I ± J) ∪ K,
where K = {4bb0 + 1, 4bb0 + 3, . . . , ` − 2, `}. Note that |I| √
≤ b + 2, |J| = b and
|K| ≤ 2b − 1; in particular, all three of these sets have O( `) elements.
Recall that we are working on an elliptic curve E in Montgomery form, typically
over a finite field, i.e. E/Fq : y 2 = x3 + Ax2 + x. For an equation of this form,
define the biquadratic polynomials over Fq [x1 , x2 ] as follows:
F0 (x1 , x2 ) = (x1 − x2 )2 ,
F1 (x1 , x2 ) = −2((x1 x2 + 1)(x1 + x2 ) + 2Ax1 x2 ),
F2 (x1 , x2 ) = (x1 x2 − 1)2 .
These polynomials are defined as satisfying the relation
F1 (x(P ), x(Q)) F2 (x(P ), x(Q))
(x − x(P + Q))(x − x(P − Q)) = x2 + x+
F0 (x(P ), x(Q)) F0 (x(P ), x(Q))
for all P, Q ∈ E such that ∞ ∈ / {P, Q, P + Q, P − Q}.2 With these functions
and the partition S = {1, 3, . . . , ` − 1} = (I ± J) ∪ K, we will now show how we
can evaluate the function
Y
hS (x) = (x − x(sQ))
s∈S
√
in x = α in Õ( `) Fq -operations, where ` is the order of Q ∈ E and x(∞) is
defined as 0.
2 Note that these functions also play a vital role in the efficient arithmetic of the scalar
multiplication on elliptic curves in Montgomery form by means of the Montgomery ladder [8].
Theorem 6. With the notations from above, define

Y
DJ (z) = F0 (z, x(jQ)),
j∈J
Y
EJ (z) = (F0 (z, x(jQ))α2 + F1 (z, x(jQ))α + F2 (z, x(jQ))).
j∈J
Then
Resz (hI (z), EJ (z)) · hK (α)
hS (α) = ,
Resz (hI (z), DJ (z))
√
which can be computed in Õ( `) Fq -operations.
Proof. For a proof of the correctness of this theorem, see [6, Theorem 4.11]. For
the complexity, note that both DJ (z) and EJ (z) can be computed in Õ(|J|)
Fq -operations. The expressions hI (z) and hK (α) can be done in respectively
Õ(|I|) and Õ(|K|) Fq -operations. The two resultants in the final expression can
be computed in Õ(max(|I|, |J|)) Fq -operations (through for example continued
fractions [88]).
To wrap things up, we still need to link the function evaluation hS (α) to
Theorem 5, where we would like to find the evaluation
Y αx(iQ) − 1
f (α) = α .
α − x(iQ)
0<i<`
For this, it suffices to verify that
α` · hS (1/α)2
f (α) = ,
hS (α)2
where S = {1, 3, . . . , `−1} as before. It hence suffices to compute two evaluations

of hS (x) to obtain the x-coordinate of a point pushed through an isogeny.
Remark that the numerator of hS (α) (i.e. the resultant Resz (hI (z), DJ (z)))
appears in the numerator and denominator of f (α) with equal multiplicity, hence
it need not even be computed. If one is interested in the resulting y-coordinate
as well, note that it requires f 0 (α) (see Theorem 5) and by [6, Example 4.13]
one can just as efficiently evaluate the derivative of this polynomial.
Finally, we are also typically interested in the Montgomery coefficient A0 of the
codomain E 0 : y 2 = x3 + A0 x2 + x of the isogeny ϕ : E → E 0 . For this, we can
change the base ring from Fq to Fq [α]/(α2 + Aα + 1), compute α0 = x(ϕ((α, 0))
(where (α, 0) is a 2-torsion point), to then find A0 = −(α0 + 1/α0 ). Alternatively,
CONCLUSION 45
in the CSIDH setting, we can use the twisted Edwards formulae from [62] and
see that ` 8
1+d A−2 hS (1)
A0 = 2 , d= .
1−d A+2 hS (−1)
Both of these approaches take another two applications of evaluating the function
hS (x).
Many isogeny-based cryptographic protocols rely on computing isogenies of
relatively large degree. CSIDH for example requires isogenies of prime degree up
to 587 in their lowest security setting [20], whereas B-SIDH’s most noteworthy
example requires isogenies of prime degree up to 7901 [29]. Even though the
evaluations in this section have an asymptotic square-root factor improvement in
terms of Fq -operations, in practice it is still necessary to find the exact threshold
at which they overtake the classical evaluation in terms of efficiency. In [6] it
was argued that their Magma implementation showed improved performance
as soon as ` ≥ 113, whereas their FLINT implementation did so as soon as
` ≥ 150. Some further arithmetic optimization pushed this boundary to roughly
` ≥ 89, see [3].
3.4 Conclusion
In this chapter we have discussed some of the most important arithmetic

properties involving isogeny computations. The concepts of kernel, division and
modular polynomials were explained and illustrated.
A common way to characterize a separable cyclic isogeny of degree ` is by an `-
torsion point that generates the kernel of this isogeny. We have showcased Vélu’s
formulae, as well as a variation on them for curves in Montgomery form, which
take as input such an `-torsion point, and compute both the codomain curve and
the image of points pushed through the corresponding isogeny. A straightforward
way of evaluating these formulae takes O(`) arithmetic operations in Fq , but a
clever way of using resultants to combine a certain
√ subset of these operations
results in an algorithm that only requires Õ( `) Fq -operations. In practice,
this asymptotic improvement occurs for ` ≥ 89.
Chapter 4
(N, N )-isogenies between

two-dimensional abelian
varieties
Since it is true for n = 1, it holds

for all n.
Anonymous undergraduate
student
In this chapter we will elaborate on the arithmetic involved in isogenies between

two-dimensional abelian varieties. We will restrict ourselves to (N, N )-isogenies,
i.e. the isogenies with (N, N )-subgroup kernels, since these are best-understood
and are closest to the cyclic elliptic-curve isogenies in the cryptographic setting.
We will start by exploring the isogenies between products of two elliptic curves
in Section 4.1. Next, we take a look at isogenies where the type of the abelian
variety in the domain and the codomain differ in Section 4.2: a product of
elliptic curves can be glued together to a Jacobian of a genus-2 curve by means
of an isogeny, and - vice versa - a Jacobian of a genus-2 curve can split into
a product of elliptic curves. Finally, we will take a look at (N, N )-isogenies
between Jacobians of genus-2 curves. More particularly, the (2, 2)-isogenies
will be discussed in Section 4.3, the (3, 3)-isogenies in Section 4.4, and a more
general construction for (`, `)-isogenies in Section 4.5, where ` is any prime.
47
48 (N, N )-ISOGENIES BETWEEN TWO-DIMENSIONAL ABELIAN VARIETIES
4.1 Isogenies between products of elliptic curves
The easiest type of (N, N )-isogenies can be obtained by taking the product of
two N -isogenies between elliptic curves. Let ϕ1 : E1 → E10 and ϕ2 : E2 → E20
be degree-N isogenies between elliptic curves. Then
Φ : E1 × E2 → E10 × E20
(P, Q) 7→ (ϕ1 (P ), ϕ2 (Q))
is an (N, N )-isogeny between abelian varieties of dimension two. This is a

consequence from the fact that the Weil-pairing on products of elliptic curves is
obtained from the component-wise product of the Weil-pairings on the respective
curves. Assuming ker ϕ1 = hP1 i and ker ϕ2 = hP2 i, ker Φ = h(P1 , ∞), (∞, P2 )i,
such that eN ((P1 , ∞), (∞, P2 )) = eN (P1 , ∞) · eN (∞, P2 ) = 1, where the
factorization needs to be seen as a Weil-pairing computed on E1 multiplied
with a Weil-pairing computed on E2 . A kernel of the form h(P1 , ∞), (∞, P2 )i
is called a diagonal kernel in this setting. As we will see in Section 4.2, a
nondiagonal kernel of an (N, N )-isogeny with domain a product of elliptic
curves will generically result in codomain that is an abelian surface, apart from
the exceptional case that will be discussed now.
The only nondiagonal type of (N, N )-subgroup of (E1 × E2 )[N ] that can be the
kernel of an (N, N )-isogeny – regardless of the type of codomain – is one which is
defined by an anti-isometry with regards to the N -Weil pairing. More precisely,
the isomorphism ψ : E1 [N ] → E2 [N ] is an anti-isometry with regards to the
N -Weil pairing iff eN (D1 , D2 ) · eN (ψ(D1 ), ψ(D2 )) = 1 for all D1 , D2 ∈ E1 [N ].
Theorem 7. Let Φ : E1 × E2 → A be an (`, `)-isogeny, where ` is a prime,
and ψ : E1 [`] → E2 [`] an anti-isometry with regards to the `-Weil pairing such
that ker Φ = h(P, ψ(P )), (Q, ψ(Q))i for some basis hP, Qi = E1 [`]. Then A is
a product of elliptic curves iff there exists an isogeny ϕ : E1 → E2 of degree
k(` − k) for some 1 ≤ k < ` such that ψ ◦ [k] = ϕ |E1 [`] .
Proof. See [54, Theorem 3].
A similar statement with more subtlety applies when N is not a prime [54,
Theorem 2.6]. Unfortunately, calculating the isogeny Φ – or even just the
codomain E1 × E2 – has no known explicit construction. In general, since
we work with elliptic curves, the rigidity lemma 1 holds and any isogeny
1 In essence, the rigidity lemma says that if ϕ : X × Y → Z is a morphism between algebraic
varieties, with X complete, and for some y ∈ Y we have that the fibre X × {y} is mapped to
a point on Z, then ϕ factors through the projection X × Y → Y . For more information and a
proof of this statement, see for example [61, Theorem 2.1].
SPLIT JACOBIANS AND GLUEING OF ELLIPTIC CURVES 49
Φ : E1 ×E2 → E10 ×E20 is completely defined by its projections Πi : E1 ×E2 → Ei0

with i ∈ {1, 2}. In certain special cases, the formulae are quite straightforward,
as can be seen in the following example.
Example 10. Consider an integer N ≥ 2 and an isogeny ϕ : E1 → E2 of

degree N − 1 which induces an anti-isometry ϕ |E1 [N ] (i.e. k = 1 in Theorem 7).
Then the kernel of the endomorphism Φ : E1 × E2 → E1 × E2 , (P, Q) 7→
(P + ϕ̂(Q), −Q + ϕ(P )) is an (N, N )-subgroup.
4.2 Split Jacobians and glueing of elliptic curves
Let E1 , E2 be elliptic curves and C a genus-2 curve. The curve C and its Jacobian
Jac(C) are said to split if there exists an isogeny ϕ : Jac(C) → E1 × E2 . Vice
versa, if there exists an isogeny % : E1 × E2 → Jac(C) then we say that the
elliptic curves E1 and E2 are glued together. Due to the existence of the dual
isogeny, these concepts can also be seen as duals and knowledge of how to glue
elliptic curves together can give us insight in how split Jacobians arise. In the
context of (N, N )-isogenies (and corresponding (N, N )-subgroups), we will say
that Jac(C) is (N, N )-split and that E1 and E2 are glued along their N -torsion.
Remark that in the latter case, the (N, N )-subgroup of the kernel of the isogeny
is necessarily nondiagonal (as explained in Section 4.1). The goal is not to go
into detail about fields of definition, but it is worth mentioning that a Jacobian
of a curve C/K that splits need not necessarily have the respective elliptic
curves defined over K.
Given the domain of either of these two options, as well as the corresponding
(N, N )-subgroup which is the kernel of the associated split or glued (N, N )-
isogeny, there is no known general method of computing the codomain or the
morphisms defining the isogeny. However, given a morphism f : C → E1 of
degree N , it must hold that Jac(C) is (N, N )-split. The curve E2 such that
there is an (N, N )-isogeny ϕ : Jac(C) → E1 × E2 is not necessarily unique, but
under certain conditions, a canonical choice can be made [56].
The cases of (2, 2)- and (3, 3)-split Jacobians have been completely parametrized
however. Hence in such situations in practice, it suffices to find an isomorphism
between the given data and the parameter families from the following two
theorems.
Theorem 8. Let E1 /K : y 2 = (x − α1 )(x − α2 )(x − α3 ) and E2 : y 2 =
(x − β1 )(x − β2 )(x − β3 ) be elliptic curves over a field K of characteristic
different from two. Write ∆α for the discriminant of (x − α1 )(x − α2 )(x − α3 )
and ∆β for the discriminant of (x − β1 )(x − β2 )(x − β3 ). Furthermore, define
a1 = (α3 − α2 )2 /(β3 − β2 ) + (α2 − α1 )2 /(β2 − β1 ) + (α1 − α3 )2 /(β1 − β3 ),

b1 = (β3 − β2 )2 /(α3 − α2 ) + (β2 − β1 )2 /(α2 − α1 ) + (β1 − β3 )2 /(α1 − α3 ),
a2 = α1 (β3 − β2 ) + α2 (β1 − β3 ) + α3 (β2 − β1 ),
b2 = β1 (α3 − α2 ) + β2 (α1 − α3 ) + β3 (α2 − α1 ),
A = ∆β a1 /a2 , B = ∆α b1 /b2 ,
h(x) = − A(α2 − α1 )(α1 − α3 )x2 + B(β2 − β1 )(β1 − β3 )

· A(α3 − α2 )(α2 − α1 )x2 + B(β3 − β2 )(β2 − β1 )

· A(α1 − α3 )(α3 − α2 )x2 + B(β1 − β3 )(β3 − β2 ) .

Then the (2, 2)-isogeny with domain E1 × E2 and kernel
{(∞, ∞), ((α1 , 0), (β1 , 0)), ((α2 , 0), (β2 , 0)), ((α3 , 0), (β3 , 0))}
has as codomain the Jacobian of a genus-2 curve C defined by y 2 = h(x). The

degree-2 morphisms of the dual isogeny are given by
ϕ1 : C → E1
(x, y) 7→ (s1 /x2 + s2 , (∆β /A3 )(y/x3 )),
ϕ2 : C → E2
(x, y) 7→ (t1 x2 + t2 , (∆α /B 3 )y),
where
s1 = −(B/A)(a2 /a1 ),
1 α1 (α3 − α2 )2 α2 (α1 − α3 )2 α3 (α2 − α1 )2

s2 = + + ,
a1 β3 − β 2 β1 − β3 β2 − β1
t1 = −(A/B)(b2 /b1 ),
1 β1 (β3 − β2 )2 β2 (β1 − β3 )2 β3 (β2 − β1 )2

t2 = + + .
b1 α3 − α2 α1 − α3 α2 − α1
Proof. See [49, Proposition 4].
Theorem 9. Let a, b, c, d, t be elements of a field K such that 12ac + 16bd = 1

and t 6= 0. Define ∆1 = a3 + b2 , ∆2 = c3 + d2 and assume ∆1 = 6 0 6= ∆2 .
SPLIT JACOBIANS AND GLUEING OF ELLIPTIC CURVES 51
Define
f (x) = (x3 + 3ax + 2b)(2dx3 + 3cx2 + 1),
f1 (x) = x3 + 12(2a2 d − bc)x2 + 12(16ad2 + 3c2 )∆1 x + 512∆21 d3 ,
f2 (x) = x3 + 12(2bc2 − ad)x2 + 12(16b2 c + 3a2 )∆2 x + 512∆22 b3 ,
−2dx + c x2 (ax − 2b)
u1 (x) = 12∆1 3 , u2 (x) = 12∆2 ,
x + 3ax + 2b 2dx3 + 3cx2 + 1
3 2 3
16dx − 12cx − 1 x + 12ax − 16b
v1 (x) = ∆1 3 2
, v2 (x) = ∆2 .
(x + 3ax + 2b) (2dx3 + 3cx2 + 1)2
Let E1 : y 2 = f1 (x) and E2 : y 2 = f2 (x) be elliptic curves, and C : y 2 = f (x) a
genus-2 curve. Then there exists a (3, 3)-isogeny Φ : Jac(C) → E1 × E2 defined
by the morphisms
ϕ1 : C → E1
(x, y) 7→ (u1 (x), yv1 (x)),
ϕ2 : C → E2
(x, y) 7→ (u2 (x), yv2 (x)).
Proof. See [16, Appendix A].
Note that the parametrization from Theorem 9 is the most general possible
form and includes all exceptional cases. The study of (3, 3)-split Jacobians goes
back to the nineteenth century however, and has appeared in several other (less
general) forms throughout history [79, 47, 48, 56].
It may come across as a little surprising that Theorem 8 involves more complex
formulae than Theorem 9. This is due to the fact that in the (2, 2)-isogeny case,
we assume that the (2, 2)-kernel is generated by rational divisors on E1 × E2 ,
whereas in the (3, 3)-isogeny case, merely the isogeny itself is assumed to be
rational. In the latter case, kernel generators in their most general form would
need to be defined over a field extension of degree eight2 , which would result
in a general parametrization with extremely extensive expressions. In practice,
one can find generic N -torsion elements for small N by the generalization of
the division polynomials of Section 3.1 to hyperelliptic curves of genus two, see
for example [19]. Alternatively, over a finite field Fq , if one knows the size eq
of the maximal cyclic subgroup of the Jacobian over Fq , one can try to find
e
N -torsion elements by computing Nq D for random divisors D.
2 To see why this is true over a finite field, consider an F -rational (3, 3)-subgroup generated
q
by hD1 , D2 i, which must necessarily be mapped to itself by Frobenius. The matrix of
Frobenius acting on hD1 , D2 i is thus an invertible 2 × 2-matrix with elements in F3 . The
order of an element of GL2 (F3 ) is at most eight, hence applying Frobenius eight times results
in the identity, or, alternatively, all elements must be defined over Fq8 .
4.3 Richelot isogenies
A (2, 2)-isogeny between Jacobians of genus-2 curves is called a Richelot isogeny,

due to their discovery by Richelot in the first half of the nineteenth century [76,
75]. For a more contemporary exposition, we refer to [86, §8], from which we
give the most important computational result in the following theorem.
Theorem 10. Let C/K : y 2 = G1 (x)G2 (x)G3 (x) be a genus-2 curve over a
field K of characteristic different from two, where
G1 = g1,3 x2 + g1,2 x + g1,1 = g1,3 (x − α1 )(x − α2 ),

G2 = g2,3 x2 + g2,2 x + g2,1 = g2,3 (x − α3 )(x − α4 ),
G3 = g3,3 x2 + g3,2 x + g3,1 = g3,3 (x − α5 )(x − α6 ).
Furthermore, define  
g1,3 g1,2 g1,1
δ = det g2,3 g2,2 g2,1 
g3,3 g3,2 g3,1
and
G = {0, [(α1 , 0) − (α2 , 0)], [(α3 , 0) − (α4 , 0)], [(α5 , 0) − (α6 , 0)]} ⊆ Jac(C)[2].
If δ 6= 0, then the (2, 2)-isogeny Φ : Jac(C) → A with kernel G has a codomain

A that is the Jacobian of a genus-2 curve defined by
C 0 : y 2 = δ −1 H1 (x)H2 (x)H3 (x),
where
H1 (x) = G02 G3 − G2 G03 , H2 (x) = G03 G1 − G3 G01 , H3 (x) = G01 G2 − G1 G02 ,
and G0i is the formal derivative of Gi (x) for i ∈ {1, 2, 3}.

Furthermore, the isogeny Φ can be evaluated on the level of points as follows,
which extends to divisors through their support. If P = (x1 , y1 ) ∈ C then
Φ(P ) = (x2 , y2 ) ∈ C 0 satisfies
G1 (x1 )H1 (x2 ) + G2 (x1 )H2 (x2 ) = 0,

y1 y2 = G1 (x1 )H1 (x2 )(x1 − x2 ).
Proof. See [86, Section 8.4].
The case δ = 0 in Theorem 10 corresponds exactly to the case where the

codomain of the (2, 2)-isogeny is a product of elliptic curves [86, Section 8.3],
(3,3)-ISOGENIES 53
which we have already parametrized in Theorem 8. Typically, genus-2 curves

over fields of characteristic different from two are given in the form y 2 = f (x),
with f a quintic or sextic polynomial. In case of a quintic, the formulae from
Theorem 10 still hold and exactly one of the roots from G1 (x)G2 (x)G3 (x) is
considered to be ∞, but nothing changes arithmetic-wise.
4.4 (3,3)-isogenies
In 2014, Bruin, Flynn and Testa found a general parametrization for a genus-
2 curve C/K (with charK ∈ / {2, 3}) such that hT1 , T2 i ⊆ Jac(C)[3] is a
(3, 3)-subgroup, with T1 and T2 both K-rational divisors [18]. In accordance
to [18, Lemma 3] and the discussion preceding [18, Theorem 6], the general
parametrization comes with the following caveats. Assume we have a curve C 0 /K
with (3, 3)-subgroup hT10 , T20 i ⊆ Jac(C 0 )[3] and we want to find an isomorphism
to a corresponding tuple of parameters. This will fail exactly if T10 or T20 share an
affine point in their support with the same x-coordinate, or if T10 or T20 have only
a single affine point in their support. In Mumford representation, this translates
to the first polynomials either having a nontrivial greatest common divisor,
respectively the first polynomial being linear instead of quadratic. However,
it can be shown that in the (3, 3)-subgroup hT10 , T20 i one can always pick two
generators that do not run into these issues; e.g. if T10 is of the form P10 − ∞ for
some P10 ∈ C 0 , then one can simply try a different pair of generators, such as for
example hT10 + T20 , T20 i, and at least one of these choices will be parameterizable.
Additionally, Bruin, Flynn and Testa also gave the parametrization of the curve
whose Jacobian is equal to Jac(C)/hT1 , T2 i. All of this is condensed in the
following theorem.
Theorem 11. Let C/K be a genus-2 curve over a field K of characteristic

different from two and three. Let T1 , T2 be K-rational divisors of Jac(C), such
that hT1 , T2 i is a (3, 3)-subgroup. If the triple (C, T1 , T2 ) is general enough (in
the sense of the discussion preceding this theorem), then it is isomorphic to a
suitable specialization of r, s, t in the family described by the following data.
H1 = x2 + rx + t,
λ1 = 4s,
G1 = (s − st − 1)x3 + 3s(r − t)x2 + 3sr(r − t)x − st2 + sr3 + t,
H2 = x2 + x + r,
λ2 = 4st,
G2 = (s − st + 1)x3 + 3s(r − t)x2 + 3sr(r − t)x − st2 + sr3 − t.
Here, Crst : y 2 = Frst (x) = G1 (x)2 + λ1 H1 (x)3 = G2 (x)2 + λ2 H2 (x)3 and

Ti = (Hi (x), Gi (x) mod Hi (x)) in Mumford representation for i ∈ {1, 2}.
Furthermore, the isogeny with domain Jac(C) and kernel hT1 , T2 i has as
codomain the Jacobian of the genus-2 curve C̃rst : −3y 2 = G̃4 (x)2 + λ̃4 H̃4 (x)3 ,
where
G̃4 = ∆ (s − st − 1)x3 + 3s(r − t)x2 + 3rs(r − t)x + (r3 s − st2 − t) ,

λ̃4 = 4∆st,
H̃4 = (r − 1)(rs − st − 1)x2 + (r3 s − 2r2 s + rst + r − st2 + st − t)x
− (r2 − t)(rs − st − 1),
∆ = r6 s2 − 6r4 s2 t − 3r4 s + 2r3 s2 t2 + 2r3 s2 t + 3r3 st + r3 s + r3
+ 9r2 s2 t2 + 6r2 st − 6rs2 t3 − 6rs2 t2 − 9rst2 − 3rst − 3rt + s2 t4
+ 2s2 t3 + s2 t2 + 2st3 + 3st2 + t2 + t.
Proof. See [18, Theorem 6 & Theorem 9].
The role of ∆ is the same as δ from Theorem 10, i.e. ∆ is zero iff the
codomain of the (3, 3)-isogeny is a product of elliptic curves, which we have
fully parametrized in Theorem 9 already. Remark that [18, Theorem 6] also
gives explicit expressions for the divisors T1 ± T2 if one is interested in those.
The discriminant of Crst contains seven distinct nonconstant factors in Q[r, s, t],
which – together with ∆ 6= 0 – guarantee that C̃rst is also well-defined as a genus-
2 curve as soon as Crst is well-defined. If furthermore r − 1, r2 − t, rs − st − 1 are
all nonzero, then C̃rst can be put into the form Cr0 s0 t0 again for new parameters
r0 , s0 , t0 , where now hT10 , T20 i determines the kernel of the dual isogeny. If either
of those three expressions would happen to be zero, a new choice of basis for
the (3, 3)-subgroup that determines the kernel of the dual isogeny can always
be made to still provide a parametrization of the curve C̃rst (in the sense of the
discussion preceding Theorem 11).
The rational map defining the (3, 3)-isogeny in Theorem 11 can be found online
at [17]. The map is defined over the Kummer surface K, i.e. K = Jac(C)/[±1],
and the equations take a couple of hundred kilobytes when stored as a Horner
scheme in a txt-file. They are used in the genus-2 variant of SIDH in [41].
An alternative way of computing a (3, 3)-isogeny with a more geometric-flavored
approach can be found in [85], where Smith continues upon the work of Dolgachev
and Lehavi [36]. In particular, he gives a practical implementation of their
algorithm to compute (only) the codomain of a (3, 3)-isogeny between Jacobians
of genus-2 curves over finite fields. Finally, one can also compute a (3, 3)-isogeny
by means of specializing Section 4.5 at ` = 3.
(`, `)-ISOGENIES FROM THETA FUNCTIONS 55
4.5 (`, `)-isogenies from theta functions
Analogously to the elliptic-curve case, a separable (N, N )-isogeny for composite

Q ≥ 4 can be decomposed as a concatenation of (ì , ì )-isogenies, where N =
N
i ì is the prime factorization. Remark that – vice versa – an arbitrary
composition of two (ì , ì )-isogenies does not necessarily lead to an (`2i , `2i )-
isogeny. This is again not different from the elliptic-curve case, where two
ì -isogenies concatenated can create the multiplication-by-ì map on an elliptic
curve, which is no longer cyclic. Typically, (`, `)-isogenies for ` prime are easier
to describe, so we will restrict ourselves to those in this section.
Unfortunately, the geometric approach to compute (`, `)-isogenies between
Jacobians of genus-2 curves from [36] does not lead to a practical algorithm. In
particular, Smith managed to make it work for (3, 3)-isogenies in [85], but this is
mostly due to a “lucky” coincidence where a system of polynomials has exactly
the right number of equations. In general, this system is highly overdetermined,
poses somewhat of a challenge to compute a (5, 5)-isogeny over a finite field,
and is nigh unworkable for ` ≥ 7 or infinite fields.
Cosset and Robert used the work from [36] as an inspiration, and managed to
create a practical algorithm to compute (`, `)-isogenies between Jacobians of
genus-2 curves. Their construction is quite explicit, but the algorithm is too
voluminous to recreate here. Furthermore, it is based on mathematical concepts
such as theta structures of level two and four that we have not elaborated on
in the preliminaries.3 The article [28] is fairly self-contained, so any reader
interested in the construction can follow their plan of approach. In terms of
complexity, their main result over finite fields is as follows.
Theorem 12. Let C be a genus-2 curve over a finite field Fq of odd
characteristic, where C is given by a Weierstraß form C : y 2 = f (x). Let
G = hD1 , D2 i ⊆ Jac(C)[`] be an Fq -rational (`, `)-subgroup, where D1 , D2 are
given in Mumford coordinates. Define the isogeny Φ : Jac(C) → A such that
ker Φ = G and A is the Jacobian of a genus-2 curve C 0 . Then we can compute
a Weierstraß form of C 0 in Õ(`2+r ) operations in Fq , and the same complexity
holds for Φ(D) for any Fq -rational element D ∈ Jac(C) given in Mumford
coordinates. Here, r = 2 if ` ≡ 1 mod 4 and r = 4 otherwise.
Apart from this theoretical result, the authors also managed to implement a
working version of their construction in Magma [14], which is called AVIsogenies
and can be found on their website [11]. The package is still being updated, and
recently relaxed the condition that ` need no longer be prime for example. As
3 A level two theta structure of a Jacobian Jac(C) can be identified with its Kummer
surface K = Jac(C)/[±1].
an illustration in [28], they computed a (1321, 1321)-isogeny between Jacobians

of genus-2 curves over F42179 , with the domain Jacobian having 210 · 13212
F42179 -rational elements. The curves were chosen specifically such that during
the computation of the codomain, certain field extensions could be avoided.
Nonetheless, it still took 2 hours to finish on a double core with 32 GB of
RAM, where we should also note that we are in the most efficient case of
r = 2 from Theorem 12. As a comparison with elliptic curves, let E : y 2 =
x3 − x be the (supersingular) elliptic curve over F1787022379 . Then E has
22 · 5 · 112 · 13 · 43 · 1321 rational points, which is approximately 210 · 13212 . Using
the Magma command IsogenyFromKernel to compute the degree-1321 isogeny
in the Magma online calculator takes only two seconds. This is keeping in mind
that IsogenyFromKernel is in no way optimized in the sense of Section 3.3,
and all points P, 2P, . . . , 660P were naively computed to create the kernel
polynomial, where P is any random (rational) kernel generator of order 1321.
4.6 Conclusion
In this chapter we have taken a look at possible ways to compute (N, N )-

isogenies between two-dimensional abelian varieties. Subtleties arise since these
types of objects split into two categories, i.e. products of elliptic curves and
Jacobians of genus-2 curves. By means of isogenies, a product of two elliptic
curves can sometimes be glued together to a Jacobian of a genus-2 curve, and
– vice versa – the Jacobian of a genus-2 curve can sometimes be split into a
product of two elliptic curves.
The best-understood (N, N )-isogenies are the (2, 2)- and (3, 3)-isogenies, as
well as the isogenies with diagonal kernel between products of elliptic curves.
General methods for computing (N, N )-isogenies between Jacobians of genus-2
curves exist, but are a lot more involved than separable cyclic isogenies between
elliptic curves, both in the underlying concepts used, as well as the arithmetic
computations that need to be performed. Typically, they are multiple orders of
magnitudes slower than their elliptic-curve equivalents.
Chapter 5
Concluding remarks and

summary of contributions
We can only see a short distance

ahead, but we can see plenty
there that needs to be done.
Alan Turing
The advent of a sufficiently large quantum computer may render all public
key cryptography as we know it obsolete. Possible contenders to replace
the overwhelmingly-used elliptic-curve-based cryptographic protocols are the
isogeny-based schemes, which are conjectured to be resistant to all currently-
known quantum attacks. In Chapter 2 we gave the necessary mathematical and
cryptographic background to lay the foundation of understanding isogeny-based
cryptography, where we did not restrict ourselves to the elliptic-curve case but
generalized to higher-dimensional abelian varieties. In Chapter 3 we provided
the most relevant notions and techniques that are used to compute isogenies
between elliptic curves in practice, whereas in Chapter 4, the same was done for
the most well-understood isogenies between two-dimensional abelian varieties.
We will now return to the two main research questions this thesis addresses.
Question 1: How can isogeny-based cryptography be sped up?
SeaSign 2.0. Shortly after the publication of the CSIDH public key exchange
protocol in 2018, De Feo and Galbraith used the setting to transform it into
a signature scheme called SeaSign [32]. Their construction makes use of Fiat–
57
58 CONCLUDING REMARKS AND SUMMARY OF CONTRIBUTIONS
Shamir with aborts, a technique typically used in lattice-based cryptographic

protocols [57]. In essence, Alice has a certain number of private keys (integer
vectors) that represent a class group element, with corresponding public keys
(elliptic curves) that are obtained from these private keys acting on a public
elliptic curve in the sense of CSIDH, see Subection 2.2.3. To identify herself,
she samples an ephemeral key (integer vector but from a larger set), uses this
as a class group action on the public key and commits to this resulting elliptic
curve. Bob can then challenge her and ask to reveal an isogeny path from
one of her public key curves to this new curve. Alice reveals this path if no
information can leak from her private keys. This leakage can happen since she
needs to provide the entry-wise subtraction from two integer vectors, such that
for example two extreme values in the first entry of both vectors can already
provide the exact private key entry in that position. Turning the identification
scheme into a signature scheme then happens with the standard Fiat–Shamir
construction. De Feo and Galbraith provided several trade-off choices with
regards to parameters, including signing time, signature size and public key
size. Their basic scheme had very small signature sizes, but took on average
two days to sign a message.
In Chapter 6 we significantly speed up this signature scheme. We first provide
two adjustments to the general setting that reduce the probability of rejection,
which noticeably decreases the number of failed signature attempts. Next,
we also describe a way to slightly increase the signature size such that Alice
can choose not to answer certain challenges. The combination of these two
techniques provides a speed-up of a factor 4 to 66, depending on parameter
choices. Shortly after our publication, a CSIDH-based signature scheme called
CSI-FiSh was introduced which improved the processing time by several orders
of magnitude over anything SeaSign could bring to the table [10]. Unfortunately,
it required the computation of a class group of an imaginary quadratic field with
a 154-digit discriminant, which took approximately 52 core years of computing
time. Replicating this scheme for anything above the 128-bit security level is
infeasible with current computing power. In [33], the isogeny-based signature
scheme called SQISign was introduced, which uses the SIDH setting rather than
the CSIDH one. The scheme still requires over two seconds to sign at the most
basic security level however, so the search for a sufficiently fast isogeny-based
signature scheme is still ongoing.
CSURF. In CSIDH, supersingular elliptic curves with endomorphism ring
√
Z[ −p] are used. These curves are said to be “on the floor” in the sense of
the isogeny volcanoes of [34]. The reason for this choice was that isomorphism
classes of these curves were one-to-one with Montgomery forms, which have
highly efficient arithmetic both in terms of scalar multiplications as in terms of
isogenies. In Chapter 8, we argue that it is more efficient to use the (only) other
CONCLUDING REMARKS AND SUMMARY OF CONTRIBUTIONS 59
option: supersingular elliptic curves on the surface, i.e. those with endomorphism
√
ring Z[(1 + −p)/2]. The benefit of this set of curves is that they allow the use
of horizontal 2-isogenies, whereas CSIDH could strictly work with odd-degree
isogenies. The drawback to this set of curves is that they are no longer one-
to-one with Montgomery forms, instead, they are two-to-one. Hence for key
verification, an extra (fast) step is required to transform them to the floor again.
Alternatively, a slightly different representation of curves can be used, i.e. curves
of the form E : y 2 = x3 + Ax2 − x. The downside to this type of curves is that
the analogon to the Montgomery ladder is ever-so-slightly less efficient, and is
outperformed by the regular Montgomery ladder by one multiplication in each
step. In either case, the 2-isogenies are computed wildly differently from any
Vélu-style formulae, and in essence boil down to a square root computation over
a prime field, which allows the CSURF setting to make use of a long chain of
2-isogenies prior to computing the odd-degree isogenies. The resulting protocol
is almost 6% more efficient than the original CSIDH instantiation, although
this effect is reduced if one is interested in a constant-time implementation, see
for example [24]. It is still an open question how much exactly can be gained
with a fully-practical version of CSURF compared to CSIDH when taking into
account specific hardware and software optimizations.
Radical isogenies. In Chapter 9 we elaborate on this completely different
type of isogeny computation that occurred in the 2-isogenies from CSURF. We
show1 that horizontal `-isogenies for any odd ` in the CSIDH or CSURF setting
can be computed by means of a simple `th root extraction combined with
some arithmetic, which we named radical isogenies. Given how the sampling
of `-torsion points is a reasonable bottleneck in CSIDH, it seems we can speed
up the computations by avoiding this altogether and use radical isogenies
instead. Unfortunately, the additional arithmetic involving these formulae
grows quickly, and the formulae for primes ` ≥ 17 seem to be too voluminous to
evaluate compared to the classical way in which CSIDH computes its isogenies.
Nonetheless, an improvement of 19% in terms of speed compared to CSIDH was
found. Similarly as in the CSURF setting, a constant-time implementation of
these formulae would require more overhead and would likely lead to a smaller
speed-up [25]. It is still an open question how far radical isogenies can be
pushed in terms of performance, e.g. the “naked” formulae for ` ≥ 17 can
be immense, but it is not known what the most efficient way of evaluating
them is. Ideally, optimizing the arithmetic of both radical isogenies and Vélu’s
square-root formulae from Section 3.3 to cover the gap for ` ∈ {17, 19, . . . , 83}
could push the classical Vélu-style formulae out of CSIDH altogether.
1 Technically, the main result is merely conjectured. However, we do not see any reason as
to why our result would all of a sudden not work when we reduce to a finite field which does not
share its characteristic with the prime `. Additionally, all formulae from our implementation
were proven by means of an algebraic software package.
60 CONCLUDING REMARKS AND SUMMARY OF CONTRIBUTIONS
Question 2: In what way can isogeny-based cryptography be

generalized to higher dimensional abelian varieties?
Genus-2 CGL hash function. In 2017, Takashima published a practical
implementation of a genus-2 variant of the CGL hash function using Richelot
isogenies [90]. A little over a year later, Flynn and Ti remarked that Takashima’s
hash function was fundamentally flawed and had a significant number of collisions
for any input [41]. Their argument was that a concatenation of two (2, 2)-
isogenies can lead to the same (4, 2, 2)-isogeny in three distinct ways.2 They
did manage to use the underlying setting to create a genus-2 variant of SIDH
however, by starting out with a (2r , 2r )-subgroup and chaining (2, 2)-isogenies
by pushing the kernel generators along in the sense of [37]. In Chapter 7,
we revisit the construction of the CGL hash function and repair it without
needing to compute a (2r , 2r )-subgroup first. We manage to separate the (2, 2)-
isogenies that are safe to use from those that should be avoided, both in a
group-theoretical sense but also in an arithmetic way. In essence, the concept
underlying this phenomenon is the generalization of having to avoid the dual
isogeny in the original CGL hash function. In higher dimensions however, one
must not only discard the kernel subgroup corresponding to the dual isogeny,
but any kernel subgroup that intersects that dual isogeny’s kernel nontrivially.
Furthermore, we also argue why the generalization of supersingular elliptic
curves in a cryptographic sense are the superspecial abelian varieties, which
are only a (small) subset of the supersingular ones. A problem that arose and
still has been left unanswered in this setting, is whether the restriction of the
(2, 2)-isogeny graph to contain only certain edges still leaves us with an expander
graph; in fact we do not even know if the graph is connected for every field
Fp2 . Furthermore, the expansion properties are hard to impossible to define on
the graph-level, since the exact edges that can be used in a (random) walk are
determined by the previous edge.
Multiradical isogenies. In Chapter 10 we generalize the results of the
radical isogenies from Chapter 9 to multiradical (N, . . . , N )-isogenies between
abelian varieties of arbitrary dimensions. The main hurdle is the fact that
g-dimensional abelian varieties with rational (N, . . . , N )-subgroup are not
necessarily parameterizable, which is different from the elliptic-curve case.
This forces us to restrict ourselves to certain parameterizable families of abelian
varieties. Of these, our most important new examples are products of g elliptic
curves, generic Jacobians of genus-2 curves with rational (3, 3)-subgroup, and a
1-parameter family of Jacobians of genus-2 curves with rational (5, 5)-subgroup.
The radical isogenies between elliptic curves can be seen as a special case of the
multiradical isogenies. In practice, this construction gives rise to a genus-2 CGL
2 A (4, 2, 2)-isogeny here is a separable isogeny between two-dimensional abelian varieties
with kernel isomorphic to Z/4Z ⊕ Z/2Z ⊕ Z/2Z.

CONCLUDING REMARKS AND SUMMARY OF CONTRIBUTIONS 61
hash function using (3, 3)-isogenies, which is faster than the genus-2 CGL hash
function using (2, 2)-isogenies from Chapter 7 by a factor of nine. Our discovery
still left multiple questions unanswered however, such as the conjectural nature
of some of our mathematical results. Additionally, the (3, 3)-isogenies could
still be optimized in terms of arithmetic, whereas other parameterizable higher-
dimensional abelian varieties could still benefit from having our results applied
to them.
Bibliography
[1] Aikawa, Y., Tanaka, R., and Yamauchi, T. Expander graphs from
superspecial abelian varieties. arXiv preprint arXiv:2201.04293 (2022).
[2] Azarderakhsh, R., Campagna, M., Costello, C., De Feo, L., Hess,
B., Jalali, A., Jao, D., Koziel, B., LaMacchia, B., Longa, P.,
et al. Supersingular isogeny key encapsulation. Submission to the NIST
Post-Quantum Standardization project 152 (2017), 154–155.
[3] Banegas, G., Bernstein, D. J., Campos, F., Chou, T., Lange, T.,
Meyer, M., Smith, B., and Sotáková, J. CTIDH: faster constant-
time CSIDH. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2021, 4 (2021),
351–387.
[4] Benioff, P. The computer as a physical system: A microscopic quantum
mechanical Hamiltonian model of computers as represented by Turing
machines. Journal of statistical physics 22, 5 (1980), 563–591.
[5] Bernstein, D. J. cr.yp.to: 2016.10.30: Some challenges in post-

quantum standardization. https://blog.cr.yp.to/20161030-pqnist.
html visited on 2022-03-01.
[6] Bernstein, D. J., De Feo, L., Leroux, A., and Smith, B. Faster
computation of isogenies of large prime degree. ANTS-XIV – 14th
Algorithmic Number Theory Symposium, The Open Book Series Vol. 4, No.
1 (2020), 39–55.
[7] Bernstein, D. J., Duif, N., Lange, T., Schwabe, P., and Yang,
B. High-speed high-security signatures. In Cryptographic Hardware and
Embedded Systems - CHES 2011 - 13th International Workshop, Nara,
Japan, September 28 - October 1, 2011. Proceedings (2011), B. Preneel and
T. Takagi, Eds., vol. 6917 of Lecture Notes in Computer Science, Springer,
pp. 124–142.
63
64 BIBLIOGRAPHY
[8] Bernstein, D. J., and Lange, T. Montgomery curves and the

Montgomery ladder. In Topics in Computational Number Theory Inspired
by Peter L. Montgomery, J. Bos and A. Lenstra, Eds. Cambridge University
Press, 2017. Available at eprint.iacr.org/2017/293.
[9] Bernstein, D. J., Lange, T., Martindale, C., and Panny, L.
Quantum circuits for the CSIDH: optimizing quantum evaluation of
isogenies. In Advances in Cryptology - EUROCRYPT 2019 - 38th Annual
International Conference on the Theory and Applications of Cryptographic
Techniques, Darmstadt, Germany, May 19-23, 2019, Proceedings, Part
II (2019), Y. Ishai and V. Rijmen, Eds., vol. 11477 of Lecture Notes in
Computer Science, Springer, pp. 409–441.
[10] Beullens, W., Kleinjung, T., and Vercauteren, F. CSI-FiSh:
Efficient isogeny based signatures through class group computations.
In Advances in Cryptology - ASIACRYPT 2019 - 25th International
Conference on the Theory and Application of Cryptology and Information
Security, Kobe, Japan, December 8-12, 2019, Proceedings, Part I (2019),
S. D. Galbraith and S. Moriai, Eds., vol. 11921 of Lecture Notes in Computer
Science, Springer, pp. 227–247.
[11] Bisson, G., Cosset, R., and Robert, D. AVIsogenies. https://www.

math.u-bordeaux.fr/~damienrobert/avisogenies/ visited on 2022-03-
01.
[12] Boneh, D., and Franklin, M. K. Identity-based encryption from the
Weil pairing. In Advances in Cryptology - CRYPTO 2001, 21st Annual
International Cryptology Conference, Santa Barbara, California, USA,
August 19-23, 2001, Proceedings (2001), J. Kilian, Ed., vol. 2139 of Lecture
Notes in Computer Science, Springer, pp. 213–229.
[13] Bonnetain, X., and Schrottenloher, A. Quantum Security Analysis
of CSIDH. In EUROCRYPT 2020 - 39th Annual International Conference
on the Theory and Applications of Cryptographic Techniques (Zagreb /
Virtual, Croatia, May 2020), vol. 12106 of Lecture Notes in Computer
Science, pp. 493–522.
[14] Bosma, W., Cannon, J., and Playoust, C. The Magma algebra
system. I. The user language. J. Symbolic Comput. 24, 3-4 (1997), 235–265.
Computational algebra and number theory (London, 1993).
[15] Brock, B. W. Superspecial curves of genera two and three. PhD thesis,
Princeton University, 1993.
BIBLIOGRAPHY 65
[16] Bröker, R., Howe, E. W., Lauter, K. E., and Stevenhagen, P.

Genus-2 curves and Jacobians with a given number of points. LMS Journal
of Computation and Mathematics 18, 1 (2015), 170–197.
[17] Bruin, N., Flynn, E. V., and Testa, D. Genus 2 Jacobians with
(3,3) level structure. http://www.cecm.sfu.ca/~nbruin/c3xc3/ visited
on 2022-03-01.
[18] Bruin, N., Flynn, E. V., and Testa, D. Descent via (3,3)-isogeny on
jacobians of genus 2 curves. Acta Arithmetica 165, 3 (2014), 201–223.
[19] Cantor, D. G. On the analogue of the division polynomials for
hyperelliptic curves. Journal für die reine und angewandte Mathematik
447 (1994), 91–146.
[20] Castryck, W., Lange, T., Martindale, C., Panny, L., and
Renes, J. CSIDH: an efficient post-quantum commutative group action.
Security, Brisbane, QLD, Australia, December 2-6, 2018, Proceedings, Part
III (2018), T. Peyrin and S. D. Galbraith, Eds., vol. 11274 of Lecture Notes
in Computer Science, Springer, pp. 395–427.
[21] Charles, D., and Lauter, K. Computing modular polynomials. LMS

Journal of Computation and Mathematics 8 (2005), 195–204.
[22] Charles, D. X., Goren, E. Z., and Lauter, K. E. Families of
ramanujan graphs and quaternion algebras. Groups and symmetries: from
Neolithic Scots to John McKay 47 (2009), 53–63.
[23] Charles, D. X., Lauter, K. E., and Goren, E. Z. Cryptographic
hash functions from expander graphs. J. Cryptol. 22, 1 (2009), 93–113.
[24] Chi-Domínguez, J., and Reijnders, K. Don’t forget the constant-time
in CSURF. IACR Cryptol. ePrint Arch. (2021), 259.
[25] Chi-Domínguez, J., and Reijnders, K. Fully projective radical isogenies

in constant-time. In Topics in Cryptology - CT-RSA 2022 - Cryptographers’
Track at the RSA Conference 2022, Virtual Event, March 1-2, 2022,
Proceedings (2022), S. D. Galbraith, Ed., vol. 13161 of Lecture Notes
in Computer Science, Springer, pp. 73–95.
[26] Chow, J., Dial, O., and Gambetta, J. IBM quantum breaks
the 100-qubit processor barrier. IBM Research Blog, available in
https://research.ibm.com/blog/127-qubit-quantum-process-or-eagle (2021).
66 BIBLIOGRAPHY
[27] Chuang, I. L., Gershenfeld, N., and Kubinec, M. Experimental

implementation of fast quantum searching. Physical review letters 80, 15
(1998), 3408.
[28] Cosset, R., and Robert, D. Computing (`, `)-isogenies in polynomial

time on Jacobians of genus 2 curves. Math. Comput. 84, 294 (2015),
1953–1975.
[29] Costello, C. B-SIDH: supersingular isogeny Diffie-Hellman using twisted
torsion. In Advances in Cryptology - ASIACRYPT 2020 - 26th International
Security, Daejeon, South Korea, December 7-11, 2020, Proceedings, Part
II (2020), S. Moriai and H. Wang, Eds., vol. 12492 of Lecture Notes in
[30] Costello, C. The case for SIKE: A decade of the supersingular isogeny
problem. IACR Cryptol. ePrint Arch. (2021), 543.
[31] Couveignes, J. M. Hard homogeneous spaces. IACR Cryptol. ePrint
Arch. (2006), 291.
[32] De Feo, L., and Galbraith, S. D. SeaSign: Compact isogeny signatures
from class group actions. In Advances in Cryptology - EUROCRYPT 2019
- 38th Annual International Conference on the Theory and Applications
of Cryptographic Techniques, Darmstadt, Germany, May 19-23, 2019,
Proceedings, Part III (2019), Y. Ishai and V. Rijmen, Eds., vol. 11478 of
Lecture Notes in Computer Science, Springer, pp. 759–789.
[33] De Feo, L., Kohel, D., Leroux, A., Petit, C., and Wesolowski, B.
SQISign: Compact post-quantum signatures from quaternions and isogenies.
Security, Daejeon, South Korea, December 7-11, 2020, Proceedings, Part
I (2020), S. Moriai and H. Wang, Eds., vol. 12491 of Lecture Notes in
[34] Delfs, C., and Galbraith, S. D. Computing isogenies between
supersingular elliptic curves over Fp . Des. Codes Cryptogr. 78, 2 (2016),
425–440.
[35] Diffie, W., and Hellman, M. E. New directions in cryptography. IEEE
Trans. Inf. Theory 22, 6 (1976), 644–654.
[36] Dolgachev, I., and Lehavi, D. On isogenous principally polarized
abelian surfaces. Curves and abelian varieties 465 (2008), 51–69.
BIBLIOGRAPHY 67
[37] Doliskani, J., Pereira, G. C. C. F., and Barreto, P. S. L. M.

Faster cryptographic hash function from supersingular isogeny graphs.
IACR Cryptol. ePrint Arch. (2017), 1202.
[38] Edixhoven, B., Van der Geer, G., and Moonen, B. Abelian varieties.
Preprint (2012), 331. Available at https://www.math.ru.nl/~bmoonen/
research.html#bookabvar.
[39] Enge, A. Computing modular polynomials in quasi-linear time.
Mathematics of Computation 78, 267 (2009), 1809–1824.
[40] Florit, E., and Smith, B. Automorphisms and isogeny graphs of abelian
varieties, with applications to the superspecial richelot isogeny graph. CoRR
abs/2101.00919 (2021).
[41] Flynn, E. V., and Ti, Y. B. Genus two isogeny cryptography. In
Post-Quantum Cryptography - 10th International Conference, PQCrypto
2019, Chongqing, China, May 8-10, 2019 Revised Selected Papers (2019),
J. Ding and R. Steinwandt, Eds., vol. 11505 of Lecture Notes in Computer
Science, Springer, pp. 286–306.
[42] Galbraith, S. D. Mathematics of Public Key Cryptography. Cambridge
University Press, 2012.
[43] Galbraith, S. D., Harrison, K., and Soldera, D. Implementing the
Tate pairing. In Algorithmic Number Theory, 5th International Symposium,
ANTS-V, Sydney, Australia, July 7-12, 2002, Proceedings (2002), C. Fieker
and D. R. Kohel, Eds., vol. 2369 of Lecture Notes in Computer Science,
Springer, pp. 324–337.
[44] Galbraith, S. D., Petit, C., Shani, B., and Ti, Y. B. On the
security of supersingular isogeny cryptosystems. In Advances in Cryptology
- ASIACRYPT 2016 - 22nd International Conference on the Theory and
Application of Cryptology and Information Security, Hanoi, Vietnam,
December 4-8, 2016, Proceedings, Part I (2016), J. H. Cheon and T. Takagi,
Eds., vol. 10031 of Lecture Notes in Computer Science, pp. 63–91.
[45] Galbraith, S. D., and Smart, N. P. A cryptographic application
of Weil descent. In Cryptography and Coding, 7th IMA International
Conference, Cirencester, UK, December 20-22, 1999, Proceedings (1999),
M. Walker, Ed., vol. 1746 of Lecture Notes in Computer Science, Springer,
pp. 191–200.
[46] Gibney, E. Hello quantum world! Google publishes landmark quantum
supremacy claim. Nature 574, 7779 (2019), 461–463.
68 BIBLIOGRAPHY
[47] Goursat, E. Sur la réduction des intégrales hyperelliptiques. Bulletin de

la Société Mathématique de France 13 (1885), 143–162.
[48] Hermite, C. Sur un exemple de réduction d’intégrales abéliennes, aux

fonctions elliptiques. F. Hayez, imp. de l’Académie, 1876.
[49] Howe, E. W., Leprévost, F., and Poonen, B. Large torsion subgroups
of split Jacobians of curves of genus two or three. Forum Math. 12, 3
(2000), 315–364.
[50] Jacques, S. Landscape of quantum computing in 2021. https://sam-

jaques.appspot.com/quantum_landscape visited on 2022-03-01.
[51] Jao, D., and De Feo, L. Towards quantum-resistant cryptosystems from
supersingular elliptic curve isogenies. In Post-Quantum Cryptography - 4th
International Workshop, PQCrypto 2011, Taipei, Taiwan, November 29 -
December 2, 2011. Proceedings (2011), B. Yang, Ed., vol. 7071 of Lecture
[52] Jaques, S., and Schanck, J. M. Quantum cryptanalysis in the RAM
model: Claw-finding attacks on SIKE. In Advances in Cryptology -
CRYPTO 2019 - 39th Annual International Cryptology Conference, Santa
Barbara, CA, USA, August 18-22, 2019, Proceedings, Part I (2019),
A. Boldyreva and D. Micciancio, Eds., vol. 11692 of Lecture Notes in
[53] Jaques, S., and Schrottenloher, A. Low-gate quantum golden
collision finding. In Selected Areas in Cryptography - SAC 2020 - 27th
International Conference, Halifax, NS, Canada (Virtual Event), October
21-23, 2020, Revised Selected Papers (2020), O. Dunkelman, M. J. J. Jr.,
and C. O’Flynn, Eds., vol. 12804 of Lecture Notes in Computer Science,
[54] Kani, E. The number of curves of genus two with elliptic differentials.
Journal für die reine und angewandte Mathematik (Crelles Journal) 1997
(1997), 122 – 93.
[55] Koblitz, N. Elliptic curve cryptosystems. Mathematics of computation
48, 177 (1987), 203–209.
[56] Kuhn, R. M. Curves of genus 2 with split Jacobian. Transactions of the
American Mathematical Society 307, 1 (1988), 41–49.
[57] Lyubashevsky, V. Fiat-Shamir with aborts: Applications to lattice and
factoring-based signatures. In Advances in Cryptology - ASIACRYPT 2009,
15th International Conference on the Theory and Application of Cryptology
BIBLIOGRAPHY 69
and Information Security, Tokyo, Japan, December 6-10, 2009. Proceedings

(2009), M. Matsui, Ed., vol. 5912 of Lecture Notes in Computer Science,
[58] McEliece, R. J. A public-key cryptosystem based on algebraic coding

theory. In DNS Progress Report (1978), vol. 42–44, Jet Propulsion
Laboratory, Pasadena, CA, pp. 114–116.
[59] Microsoft. SIKE cryptographic challenge. https://www.microsoft.
com/en-us/msrc/sike-cryptographic-challenge visited on 2022-03-01.
[60] Miller, V. S. Use of elliptic curves in cryptography. In Conference on
the theory and application of cryptographic techniques (1985), Springer,
pp. 417–426.
[61] Milne, J. Abelian varieties. Course notes, version 2.0, available at
https://www.jmilne.org/math/CourseNotes/av.html, 2008.
[62] Moody, D., and Shumow, D. Analogues of Vélu’s formulas for isogenies
on alternate models of elliptic curves. Math. Comput. 85, 300 (2016),
1929–1951.
[63] Mumford, D. Abelian varieties, vol. 5. Tata Institute of Fundamental

Research Studies in Mathematics, 2008. With appendices by C. P.
Ramanujam and Yuri Manin, Corrected reprint of the second (1974) edition.
[64] National Institute of Standards and Technology. Digital
signature standard (DSS). https://nvlpubs.nist.gov/nistpubs/FIPS/
NIST.FIPS.186-4.pdf visited on 2022-03-01.
[65] National Institute of Standards and Technology. Post-

quantum cryptography. https://csrc.nist.gov/projects/post-
quantum-cryptography visited on 2022-03-01.
[66] National Institute of Standards and Technology. Post-
quantum cryptography. https://csrc.nist.gov/projects/post-
quantum-cryptography/round-3-submissions visited on 2022-03-01.
[67] National Institute of Standards and Technology. Recommen-
dation for key management. https://nvlpubs.nist.gov/nistpubs/
SpecialPublications/NIST.SP.800-57pt1r5.pdf visited on 2022-03-01.
[68] National Institute of Standards and Technology. Status

report on the second round of the NIST post-quantum cryptography
standardization process. https://nvlpubs.nist.gov/nistpubs/ir/
2020/NIST.IR.8309.pdf visited on 2022-03-01.
70 BIBLIOGRAPHY
[69] Peikert, C. He gives C-Sieves on the CSIDH. In Advances in Cryptology -

EUROCRYPT 2020 - 39th Annual International Conference on the Theory
and Applications of Cryptographic Techniques, Zagreb, Croatia, May 10-
14, 2020, Proceedings, Part II (2020), A. Canteaut and Y. Ishai, Eds.,
vol. 12106 of Lecture Notes in Computer Science, Springer, pp. 463–492.
[70] Petit, C. Faster algorithms for isogeny problems using torsion point
images. In Advances in Cryptology - ASIACRYPT 2017 - 23rd International
Conference on the Theory and Applications of Cryptology and Information
Security, Hong Kong, China, December 3-7, 2017, Proceedings, Part II
(2017), T. Takagi and T. Peyrin, Eds., vol. 10625 of Lecture Notes in
[71] Pollard, J. M. Monte Carlo methods for index computation (mod p).
Mathematics of computation 32, 143 (1978), 918–924.
[72] Preskill, J. Quantum Computing in the NISQ era and beyond. Quantum
2 (Aug. 2018), 79.
[73] Pries, R. Current results on Newton polygons of curves. arXiv preprint
arXiv:1806.04654 (2018). To appear as Chapter 6 of Open problems in
Arithmetic Algebraic Geometry.
[74] Renes, J. Computing isogenies between montgomery curves using the

action of (0, 0). In Post-Quantum Cryptography - 9th International
Conference, PQCrypto 2018, Fort Lauderdale, FL, USA, April 9-11, 2018,
Proceedings (2018), T. Lange and R. Steinwandt, Eds., vol. 10786 of Lecture
[75] Richelot, F. De transformatione integralium Abelianorum primi ordinis

commentatio. Journal für die reine und angewandte Mathematik (Crelles
Journal) 1837 , 221 – 284.
[76] Richelot, F. Essai sur une methode generale pour determiner la valuer
des integrales ultra-elliptiques, fondee sur des transformations remarquables
des ce transcendantes. CR Acad. Sc. Paris 2 (1836), 622–627.
[77] Rostovtsev, A., and Stolbunov, A. Public-key cryptosystem based
on isogenies. IACR Cryptol. ePrint Arch. (2006), 145.
[78] Schoof, R. Nonsingular plane cubic curves over finite fields. J. Comb.
Theory, Ser. A 46, 2 (1987), 183–211.
[79] Shaska, T. Genus 2 fields with degree 3 elliptic subfields. Forum Math.
16, 2 (2004), 263–280.
BIBLIOGRAPHY 71
[80] Shor, P. W. Algorithms for quantum computation: Discrete logarithms

and factoring. In 35th Annual Symposium on Foundations of Computer
Science, Santa Fe, New Mexico, USA, 20-22 November 1994 (1994), IEEE
Computer Society, pp. 124–134.
[81] Silverman, J. H. Advanced topics in the arithmetic of elliptic curves,
vol. 151. Springer Science & Business Media, 1994.
[82] Silverman, J. H. The arithmetic of elliptic curves, vol. 106. Springer,
2009.
[83] Silverman, J. H., and Tate, J. T. Rational points on elliptic curves,
vol. 9. Springer, 1992.
[84] Smart, N. P. The discrete logarithm problem on elliptic curves of trace
one. J. Cryptol. 12, 3 (1999), 193–196.
[85] Smith, B. Computing low-degree isogenies in genus 2 with the Dolgachev-

Lehavi method. Arithmetic, geometry, cryptography and coding theory 574
(2012), 159–170.
[86] Smith, B. A. Explicit endomorphisms and correspondences. PhD thesis,
University of Sydney, 2005.
[87] Smith, B. A. Isogenies and the discrete logarithm problem in Jacobians
of genus 3 hyperelliptic curves, . J. Cryptol. 22, 4 (2009), 505–529.
[88] Strassen, V. The computational complexity of continued fractions. SIAM
J. Comput. 12, 1 (1983), 1–27.
[89] Sutherland, A. V. On the evaluation of modular polynomials. CoRR

abs/1202.3985 (2012).
[90] Takashima, K. Efficient algorithms for isogeny sequences and their
cryptographic applications. In Mathematical Modelling for Next-Generation
Cryptography: CREST Crypto-Math Project, T. Takagi, M. Wakayama,
K. Tanaka, N. Kunihiro, K. Kimoto, and D. H. Duong, Eds., Mathematics
for Industry. Springer Singapore, 2017, pp. 97–114.
[91] Tani, S. Claw finding algorithms using quantum walk. Theor. Comput.
Sci. 410, 50 (2009), 5285–5297.
[92] Vélu, J. Isogénies entre courbes elliptiques. CR Acad. Sci. Paris, Séries
A 273 (1971), 305–347.
72 BIBLIOGRAPHY
[93] Zhang, E. J., Srinivasan, S., Sundaresan, N., Bogorin, D. F.,

Martin, Y., Hertzberg, J. B., Timmerwilke, J., Pritchett,
E. J., Yau, J.-B., Wang, C., et al. High-fidelity superconducting
quantum processors via laser-annealing of transmon qubits. arXiv preprint
arXiv:2012.08475 (2020).
Part II
Publications
73
74
Chapter 6
SeaSign 2.0
Mathematics: a branch of physics

in which the experiments are
cheap.
Vladimir Arnold
Publication data
Thomas Decru and Lorenz Panny and Frederik Vercauteren (2019). Faster
SeaSign Signatures Through Improved Rejection Sampling. In Post-Quantum
Cryptography - 10th International Conference, PQCrypto 2019, Chongqing,
China, May 8-10, 2019 Revised Selected Papers (pp. 271–285). Springer.
Own contribution
My main contributions are coming up with variant T of the scheme, verifying

some of the implementational results and writing parts of the article.
75
Faster SeaSign signatures
through improved rejection sampling
Thomas Decru1 , Lorenz Panny2 , and Frederik Vercauteren1

thomas.decru@kuleuven.be, lorenz@yx7.cc, frederik.vercauteren@kuleuven.be
1
imec-COSIC, ESAT, KU Leuven, Belgium
2
Department of Mathematics and Computer Science,
Technische Universiteit Eindhoven, The Netherlands
Abstract. We speed up the isogeny-based “SeaSign” signature scheme

recently proposed by De Feo and Galbraith. The core idea in SeaSign is to
apply the “Fiat–Shamir with aborts” transform to the parallel repeated
execution of an identification scheme based on CSIDH. We optimize this
general transform by allowing the prover to not answer a limited num-
ber of said parallel executions, thereby lowering the overall probability
of rejection. The performance improvement ranges between factors of
approximately 4.4 and 65.7 for various instantiations of the scheme, at
the expense of roughly doubling the signature sizes.
Keywords: Isogeny-based cryptography, signatures, SeaSign, rejection
sampling, group actions.
1 Introduction
Elliptic curves have become a staple in various cryptographic applications in

the past decades. In 1994, however, it was pointed out by Shor that a quantum
computer could solve the Discrete Logarithm Problem (DLP), which is the core
hardness assumption in elliptic-curve cryptography, in polynomial time [12]. For
that reason, some of the recent research has shifted towards isogeny-based cryp-
tography. In essence, the underlying mathematical problem is to find an isogeny
between two given elliptic curves over a finite field. According to current knowl-
edge, this problem can generally be assumed to be hard, even with the possible
advent of quantum computers in mind.
The first instances of isogeny-based cryptosystems were proposed by Cou-
veignes in 1997 [2], including a non-interactive key exchange protocol. His pa-
per was not published at that time, and the idea was independently rediscov-
ered in 2006 by Rostovtsev and Stolbunov [11]. More recently, Jao and De Feo
∗
Author list in alphabetical order; see https://www.ams.org/profession/leaders/
culture/CultureStatement04.pdf. This work was supported in part by the Com-
mission of the European Communities through the Horizon 2020 program under
project number 643161 (ECRYPT-NET) and in part by the Research Council KU
Leuven grants C14/18/067 and STG/17/019. Date of this document: 2018.12.12.
proposed the so-called Supersingular Isogeny Diffie–Hellman (SIDH) scheme in
2011 [7]. This key-exchange protocol is the basis for SIKE [6], which was sub-
mitted to the post-quantum standardization project led by NIST [10]. SIDH is
inherently different from the scheme of Couveignes and Rostovtsev–Stolbunov,
mostly due to the fact that the endomorphism rings of supersingular elliptic
curves are noncommutative. However, in 2018, Castryck, Lange, Martindale,
Panny and Renes adapted the Couveignes–Rostovtsev–Stolbunov scheme to su-
persingular elliptic curves, which yields big efficiency improvements, and named
the resulting protocol “CSIDH” [1]. In essence, this variation is made possible
by restricting the family of curves under consideration to supersingular elliptic
curves defined over Fp instead of Fp2 .
CSIDH’s small key sizes prompted De Feo and Galbraith to transform it into
a signature scheme called SeaSign in the same year [4]. The construction uses the
Fiat–Shamir with aborts framework, a technique commonly used in lattice-based
cryptography [8], together with an isogeny-based identification scheme going
back to Couveignes [2] and Rostovtsev–Stolbunov [11]. Their paper presents
three different versions of SeaSign featuring various trade-offs between signature
size, public-key size, and secret-key size. One of these versions attains 128 bits
of security with signatures of less than one kilobyte. An issue impacting all of
these schemes, however, is that the signing and verification times are rather
substantial. Indeed, the basic SeaSign scheme takes (on average) almost two
days to sign a message on a typical CPU, whereas the variants with smaller
signatures or public keys still take almost ten minutes to sign (on average).
In this paper we tackle this performance issue in the more general setting of
using group actions in a “Fiat–Shamir with aborts” scheme. We first discuss two
(unfortunately mutually exclusive) adjustments that reduce the likelihood of re-
jections, which decreases the expected number of failed signing attempts before
a success and hence makes signing more efficient. Next, we describe a modifi-
cation that significantly speeds up the signing process at the cost of a small
increase in signature size. The basic idea is to allow the prover to refuse answer-
ing a small fixed number of challenges, thereby reducing the overall probability
of aborting. To attain a given security level, the total number of challenges—and
correspondingly the signature size—will be somewhat larger than for standard
Fiat–Shamir with aborts. As an application of these general techniques, we an-
alyze the resulting speed-up for the various versions of the SeaSign signature
scheme. The improvement is most noticeable when applied to the basic scheme:
the original signing cost goes down from almost two days to just over half an
hour. The other two, more advanced variants are still sped up by a factor of
four to roughly two minutes per signature. Even though this is still too slow for
most (if not all) applications, it is a significant improvement over the state of
the art, and the underlying ideas of these speed-ups might be useful for other
cryptographic schemes as well.
Acknowledgements. We are thankful to Steven Galbraith for his observation

about shorter signatures in Remark 2, and to Taechan Kim for pointing out an
error in an earlier version of the script in Appendix A.
1.1. Notation. The notation [a; b] denotes the integer range {a, ..., b}.
Fix n ≥ 1. Throughout, we will consider a transitive action of the abelian
group Zn on a finite set X, with a fixed element E0 ∈ X. We will assume that
“short” vectors in Zn are enough to reach “almost all” elements of X.1 Moreover,
Pn[v]E of a vector v ∈ Z on an
n
we assume that the cost of computing the action
element E ∈ X is linear in the 1-norm kvk1 = j=1 |vj | of v. (We will argue in
Section 2.1 that these assumptions are satisfied in the CSIDH setting.)
2 Preliminaries
A good introductory reference for the applications of elliptic-curve isogenies in

cryptography are the lecture notes by De Feo [3].
2.1. CSIDH. Consider a supersingular elliptic curve E defined over Fp , where
p is a large prime. While the endomorphism ring End(E) of E over the algebraic
closure of Fp is noncommutative, the ring EndFp (E) of endomorphisms defined
√
over Fp is an order O in the imaginary quadratic field Q( −p).
The ideal class group of EndFp (E) = O is the quotient of the group of frac-
tional invertible ideals in O by the principal fractional invertible ideals in O,
and will be denoted cl(O). The group cl(O) acts on the set of Fp -isomorphism
classes of elliptic curves with Fp -rational endomorphism ring O through isoge-
nies. More specifically, when given an O-ideal a and an elliptic curve E with
EndFp (E) = O, T we define [a]E as the codomain of the isogeny ϕa : E → E/a
whose kernel is α∈a ker α. This isogeny is well-defined and unique up to Fp -
isomorphism.
There are formulas for computing [a]E. However, for general a, this compu-
tation requires large field extensions and hence has superpolynomial Qn time com-
plexity. To avoid this, CSIDH restricts to ideals of the form a = i=1 lei i , where
all li are prime ideals of small norm ì , and such that the action of li can be
computed entirely over the base field Fp . The curve [a]E can then be computed
by chaining isogenies of degrees ì . In principle the cost of computing the action
of li is in Θ(ì ), but for small values of ì it is dominated by a full-size scalar
Qn which is why assuming cost |e1 | + · · · + |en | for computing the
multiplication,
action of i=1 lei i , as mentioned in Section 1.1, comes close to the truth. (More-
over, in our setting, the |ei | are all identically distributed, hence the differences
in costs between various ì disappear on average.)
The CSIDH group action is defined as follows.
Parameters. Integers n ≥ 1, B ≥ 0. A prime p of the form 4 · `1 · · · `n − 1,
with ì small distinct odd primes. The elliptic curve E0 : y 2 = x3 + x over Fp .
Write X for the set of (Fp -isomorphism classes of) elliptic curves over Fp with
EndFp (E) = O = Z[π], where π is the Fp -Frobenius endomorphism.
1
In other words: The action of Zn on X factors through the quotient Q = Zn /S,
where S ≤ Zn is the stabilizer of any E ∈ X, and we assume that Q is “sufficiently”
covered by “short” vectors in Zn under the quotient map Zn Q.
n) ∈ Z
n
Group action. A group element is represented2 by a vector (e1 , ..., eQ
n
sampled uniformly random from [−B; B]n , which defines the ideal a = i=1 lei i
with li = hì , π − 1i. A public element is represented by a single coefficient
A ∈ Fp , describing the curve EA : y 2 = x3 + Ax2 + x. The result of the ac-
tion of an ideal a on a public element A ∈ Fp , assuming that EA has the right
endomorphism ring O, is the coefficient B of the curve [a]EA : y 2 = x3 +Bx2 +x.
The security assumption of the group action is that it is essentially a black-

box version of the group cl(O) on which anyone can efficiently act by translations.
In particular, given two elliptic curves E, E 0 ∈ X, it should be hard to find an
ideal a of O such that E 0 = [a]E.
Notice that it is not clear in general that the vectors in [−B; B]n cover
the whole group, or even a “large” fraction. Unfortunately, sampling uniformly
random from cl(O) is infeasible for large enough parameters, since there is no
known efficient way to compute the structure of cl(O) in that case. In fact,
knowing the exact class group structure would be sufficient to obtain much more
efficient signatures, since no rejection sampling would be required [4]. Under the
right assumptions however, the elements represented by vectors in [−B; B]n are
likely to cover a large fraction of the group as long as (2B + 1)n ≥ #cl(O). The
values suggested for (n, B) in [1] are (74, 5), which aim to cover a group of size
approximately 2256 . This results in group elements of 32 bytes, public elements
of 64 bytes, and a performance of about 40 ms per group action computation.
For more details, see [1].
As stated in Section 1.1, we will from now on abstract away the underlying
isogeny-based constructions and work in the setting of the group (Zn , +) acting
on a finite set X.
2.2. SeaSign. SeaSign [4] is a signature scheme based on a sketch of an

isogeny-based identification scheme by Couveignes [2] and Stolbunov [13], in
combination with the “Fiat–Shamir with aborts” construction [8] from lattice-
based cryptography to avoid leakage. The identification part of SeaSign works
as follows. Note that our exposition differs from [4] for consistency with the
following sections.
Parameters. Like CSIDH, and additionally integers δ ≥ 1 and S ≥ 2.3
Keys. Alice’s private key is a list a = (a(1) , ..., a(S−1) ) of S −1 vectors sampled
uniformly random from [−B; B]n ⊆ Zn .
For i ∈ {1, ..., S − 1}, write Ei := [a(i) ]E0 , that is, the result of applying
the group element represented by a(i) ∈ Zn ; then Alice’s public key is the list
[a]E0 := (E1 , ..., ES−1 ) of her secret vectors applied to the starting element E0 .
This situation is summarized in Figure 1.
2
Note this representation matches the assumptions in Section 1.1.
3
Technically there is no reason for δ to be an integer: it is sufficient that δ ∈ 1
B
· Z,
but we will assume δ ∈ Z throughout for simplicity.
E1
[a(1) ]
E0 [a(2) ] E2
...
[a(S−1) ] ...
ES−1
Figure 1. Structure of Alice’s key pair.
Identification. Alice samples an ephemeral vector b uniformly random from

the set [−(δ + 1)B; (δ + 1)B]n ⊆ Zn . She then computes E = [b]E0 and commits
to E. On challenge c ∈ {0, ..., S − 1}, she computes r = b − a(c) (where a(0) is
defined as 0). If r ∈ [−δB; δB]n , she reveals r; else she rejects the challenge. Bob
verifies that [r]Ec = E.
See Figure 2 for a visual representation of this protocol.
E [r]
E1
[b]
[a(1) ]
E0 [a(2) ] E2
...
[a(S−1) ] ...
ES−1
Figure 2. The identification scheme in the scenario c = 2.
Since an attacker (who cannot break the underlying isogeny problems) has a
1/S chance of winning, this identification scheme provides log2 S bits of security.
In order to amplify the security level, Alice typically computes t ≥ 1 independent
vectors b1 , ..., bt instead of just one. The verifier responds with t challenges
c1 , ..., ct ∈ {0, ..., S − 1}. Alice then computes ri = bi − a(ci ) for all 1 ≤ i ≤ t and
reveals them if all of them are in [−δB; δB]n ; else she rejects the challenge. In
order to not have to reject too often, δ must be rather large; more specifically, δ
was chosen as nt in [4] to achieve a success probability of roughly 1/e.
As mentioned in the introduction, [4] gives three SeaSign constructions. The
original idea is the scheme above with S = 2, i.e., the public key is a single public
element. This results in a large t and therefore a very large signature. The second
scheme lets the number of private keys S range from 2 up to 216 , which results
in smaller, faster signatures at the expense of larger public-key sizes.4 The final
scheme reduced the size of the public key again by using a Merkle tree, at the
cost of increasing the signature size. We will not elaborate on all those variants
in detail.
To turn this identification scheme into a non-interactive signature proto-
col, the standard Fiat–Shamir transformation can be applied [5]. In essence,
Alice obtains the challenges c1 , ..., ct herself by hashing the ephemeral public
elements [b1 ]E0 , ..., [bt ]E0 together with her message. Alice then sends her sig-
nature ([b1 ]E0 , ..., [bt ]E0 ; r1 , ..., rt ) to Bob, who can recompute the challenges
c1 , ..., ct to verify that indeed [ri ]Eci = [bi ]E0 for all i ∈ {1, ..., t}.
3 The improved signature scheme

In this section we describe our improvements.
3.1. Core ideas.
1. The first improvement is minor (but still significant) and concerns the iden-
tification scheme itself: the following observations result in two variants of
the scheme that are more efficient than the basic scheme.5
– Variant F: The ephemeral secret b is automatically independent of all
secrets a(i) , hence can be revealed even if it lies outside of [−δB; δB]n .
We remark that this variant is described in [4] already but disregarded
as only a single signing attempt is examined. When taking into account
the average signing cost however, it can clearly improve performance,
and we will quantify these improvements.
– Variant T : Depending on the entries of the concrete private keys a(i) ,
the ephemeral secret b can be sampled from a smaller set than the
worst-case range used in SeaSign to reduce the probability of rejection.
Indeed, although the j-th entry in each a(i) is a priori sampled uniformly
in [−B; B], which gives rise to the interval [−(δ + 1)B; (δ + 1)B] for the
j-th coefficient of each ephemeral vector b, it is obviously useless (since
it will always be rejected) to sample the j-th coefficient outside the
(1) (S−1)
interval [−δB + mj ; δB + Mj ] with mj = min{0, aj , ..., aj } and
(1) (S−1)
Mj = max{0, aj , ..., aj }.
It is clear that Variant F and Variant T are mutually exclusive: in Variant T
the ephemeral secret b is sampled from a set that is dependent on the private
keys a(i) , whereas for Variant F to work it is required that this sampling is
done completely independently.
2. The second improvement is more significant and modifies the “Fiat–Shamir
with aborts” transform as follows: assume the identification scheme uses s-
bit challenges (corresponding to a probability of 2−s that an attacker can
4
In [4], S is always a power of 2, but any S ≥ 2 works.
5
The acronyms F and T refer to “f ull” and “truncated” ranges, respectively.
cheat), and that each execution has probability of rejection ε. The SeaSign
approach to attain security level λ is to simultaneously obtain t = dλ/se
non-rejected executions of the identification protocol which happens with
probability (1 − ε)t . Our approach increases the total number of challenges,
but allows the prover to refuse answering a fixed number u of them, since
this tolerates much higher rejection probabilities at the cost of a relatively
small increase in public-key and signature size.
We now provide more details on each of the above ideas.

3.2. Identification scheme.
Parameters. Integers S ≥ 2 and δ ≥ 1.
Keys. Like in SeaSign (Section 2.2).
Identification. Using Alice’s key pair (a, [a]E0 ), a (log2 S)-bit identification
protocol can be constructed as follows:
Variant F Variant T
Alice samples a vector b uniformly random from the set ...
n
Y
I= −δB + mj ; δB + Mj ⊆ Zn ,
j=1
n
I = −(δ + 1)B; (δ + 1)B ⊆ Zn . where
(1) (S−1)
mj = min{0, aj , ..., aj };
(1) (S−1)
Mj = max{0, aj , ..., aj }.
She then computes E = [b]E0 and commits to E. On challenge c ∈ {0, ..., S−1},
she computes r = b − a(c) (where a(0) is defined as 0).
If c = 0 or r ∈ [−δB; δB]n , ... If r ∈ [−δB; δB]n , ...
... then she reveals r; else she rejects the challenge. Bob verifies that [r]Ec = E.
Lemma 1. The distribution of revealed vectors r is independent of a(c) .
Proof. This is trivial in Variant F in the event c = 0. For the other cases, note
that I is constructed such that r = b − a(c) is uniformly distributed on a set
containing ∆ := [−δB; δB]n , no matter what a(c) is. Therefore, the distribution
of r conditioned on the event r ∈ ∆ is uniform on ∆ independently of a(c) . t u
Remark 1. Lemma 1 only talks about the conditional distribution of r if it is

revealed. Note that in Variant T , the probability that it can be revealed is still
correlated to the entries of a(c) , which may have security implications. We show
in Section 3.3 how to get around this issue in a signature scheme.
3.3. Signature scheme. Our improved signature scheme is essentially the
“Fiat–Shamir with aborts” construction also used in SeaSign (see Section 2.2),
except that we allow the signer to reject a few challenges in each signature. The
resulting scheme is parameterized by two integers t ≥ 0, denoting the number of
challenges the signer must answer correctly, and u ≥ 0, the number of challenges
she may additionally refuse to answer.
Write ID for (one of the variants of) the identification scheme in Section 3.2.
Keys. Alice’s identity key consists of a key pair (a, [a]E0 ) as in ID.
Signing. To sign a message m, Alice first generates a list b1 , ..., bt+u of random
vectors, each sampled as the vector b in ID. She computes the corresponding
public elements [b1 ]E0 , ..., [bt+u ]E0 and hashes them together with the message
m to obtain a list of challenges c1 , ..., ct+u ∈ {0, ..., S − 1}. To produce her
signature, she then traverses the tuples (bi , ci ) in a random order, computing the
correct response ri = bi − a(ci ) (as in ID) if possible and a rejection 7 otherwise.
Once t successful responses have been generated, the remaining challenges are
all rejected in order not to leak any information about the rejection probability;
cf. Remark 1.6 Finally, the signature is
([b1 ]E0 , ..., [bt+u ]E0 ; r1 , ..., rt+u ) ,
where exactly u of the ri equal 7. (If less than t challenges could be answered,
Alice aborts and retries the whole signing process with new values of bi .)
Verification. This again is standard: Bob first checks that at most u of the
t + u values ri are 7. He then recomputes the challenges c1 , ..., ct+u by hashing
the message m together with the ephemeral elements [bi ]E0 and verifies that
[ri ]Eci = [bi ]E0 for all i ∈ {1, ..., t + u} with ri 6= 7.
Remark 2. The signatures can be shortened further: Sending those [bi ]E0 with
ri 6= 7 is wasteful. It is enough to send the hash H of all ephemeral elements
[bi ]E0 instead, since Bob can extract ci from H, recompute [bi ]E0 as [ri ]Eci ,
and verify in the end that the hash H was indeed correct.
Remark 3. As mentioned earlier, one can reduce the public-key size by using a
Merkle tree, but this does not significantly alter the computation time for any
part of the protocol. Given that the main focus of our adjustments to SeaSign
is speeding it up, we will therefore not investigate this avenue any further.
Security. The proof for the security for this scheme is completely analogous to
the original SeaSign scheme. This follows from Lemma 1 and the fact that there
are always a fixed number u of 7 per signature in random positions. Instead of
reproducing the proof here, we refer the reader to [4].
6
This is why the tuples are processed in a random order: Proceeding sequentially and
rejecting the remaining tail still leaks, since the number of 7 at the end would be
correlated to the rejection probability.
4 Analysis and results
In order to quantify our speed-ups compared to the original SeaSign scheme, we

analyze our adjustments in the same context as [4]. This means that (n, B) =
(74, 5) and log2 p ≈ 512. Furthermore we will require 128 bits of security and
will let S range through powers of two between 2 and 216 .
As mentioned before, Variant F and Variant T are mutually exclusive. For
this reason, we computed the results for both cases to compare which performs
better under given conditions. Variant T clearly converges to the original SeaSign
scheme rapidly for growing S, while Variant F always keeps at least a little bit
of advantage. It is clear that from a certain value of S onward, Variant F will
always be better. For small S however, Variant T will outperform Variant F
rather significantly for average-case key vectors.
We now discuss how to optimize the parameters (t, u, δ) for a given S. The
main cost metric is the expected signing time7
δ · (t + u)/q ,
where q is the probability of a full signing attempt being successful (i.e., at most
u rejections 7). This optimization problem depends on two random variables:
– The number Z of challenges that an attacker can successfully answer even
though he cannot break the underlying isogeny problems.
– The number A of challenges that Alice can answer without leaking, i.e., the
number of non-rejected challenges.
Since the t + u challenges are independent, both Z and A are binomially dis-
tributed with count t + u. Let Tk,α denote the tail cumulative distribution func-
tion of Bink,α , i.e.,
Xk
k i
Tk,α (x) = α (1 − α)k−i ,
i=x
i
which is the probability that a Bink,α -distributed variable attains a value of at

least x. The success probability for an attacker is 1/S, since he knows the correct
answer to at most one of S challenges c. In order to achieve 128 bits of security,
it is required that
Pr[Z ≥ t] = Tt+u,1/S (t) ≤ 2−128 .
This condition implies that for fixed S and t, there is a maximal value umax (t)
for u, the number of allowed rejections 7, regardless of δ.
Let σ(δ) denote Alice’s probability of being able to answer (i.e., not reject 7)
a single challenge for a given value of δ; hence A ∼ Bint+u,σ(δ) . In order to find
the optimal (u, δ) for a given t, we need to minimize the expression
δ · (t + u)/q(t, u, δ) ,
7
Other optimizations could look at the sum of signing and verification time, or even
take into account key generation time, but we will not delve into those options.
where
q(t, u, δ) = Pr[A ≥ t] = Tt+u,σ(δ) (t)
is the probability of a full signing attempt being successful. The function σ
depends on the variant (F or T ). In case of Variant F we have
n
1 S−1 2δB + 1
σ(δ) = + .
S S 2(δ + 1)B + 1
For Variant T , the function depends on the private keys in use. With fixed
(1) (S−1)
private keys a(1) , ..., a(S−1) and the notation mj = min{0, aj , ..., aj } and
(1) (S−1)
Mj = max{0, aj , ..., aj } as before, the formula becomes
n
Y 2δB + 1
σ(δ) = .
j=1
2δB + 1 − mj + Mj
For our analysis we work with the expected probability over all possible keys.
Our results for the optimization problem can be found in Table 1. The
sage [14] code that computes these values can be found in Appendix A; it takes
about twelve minutes on a single core. We are quite confident that the values
in Table 1 are optimal, but cannot strictly claim so since we have not proven
that the conditions used in the script to terminate the search capture all optimal
values, although this seems reasonable to assume.
There are two major differences in the way we present our data compared
to [4]. First of all, we list the expected signing time instead of a single signing
attempt, which represents the real cost more accurately. Second, we express the
time in equivalents of “normal” CSIDH operations instead of in wall-clock time,
which makes the results independent of a concrete choice of CSIDH implemen-
tation and eases comparison with other work.
Unsurprisingly, the biggest speed-up can be seen for the basic SeaSign scheme
(i.e., S = 2), since that is where the largest δ could be found. The expected
signing time is reduced by a factor of 65, whereas verification is sped up by
a factor of roughly 31, at the cost of doubling the signature size. As predicted,
Variant F outperforms Variant T from a certain point onward, which apparently
is for S ≥ 24 . The case S = 216 gains a factor of 4.4 in the expected signing time
and 6.0 in verification time. Note though that it only has 2.7% faster signing
and 21% faster verification than the case S = 215 (which uses public keys half
as big), which further emphasizes the importance of choosing the right trade-
offs. Perhaps unsurprisingly, taking u = umax (t) often gives the best (expected)
signing times, although this is not always the case: for instance, for S = 216 we
have umax (10) = 29, but u = 22 with a bigger δ yields (slightly) better results.
Table 1. Parameters for our improved SeaSign variants, optimizing for signing time.
All of these choices provide ≥ 128 bits of security (of course assuming that the un-
derlying isogeny problems are hard). Gray lines with variant “—” refer to the original
parameter selection methodology suggested in [4]. The signature sizes make use of the
observation in Remark 2. The “CSIDHs” columns express the computational load in
terms of equivalents of a “normal” CSIDH operation, i.e., with exponents in [−B; B]n ,
making use of the assumption that the cost is linear in the 1-norm of the input vector.
Using current implementations [9,1], computing one “CSIDH”-512 takes approximately
40 ms of wall-clock time on a standard processor. Finally, the rightmost column shows
the speed-up in signing and verification times compared to the original SeaSign scheme.
Public- Expected Expected Expected

Signature Speed-up
S t u δ Var. key signing signing verifying
bytes factors
bytes attempts CSIDHs CSIDHs
21 128 0 9472 — 64 b 19600 b 2.718 3295480 1212416
21 337 79 114 T 64 b 36838 b 1.058 50175 38418 65.7 | 31.6
2
2 64 0 4736 — 192 b 9216 b 2.718 823818 303104
22 144 68 133 T 192 b 18256 b 1.063 29962 19152 27.5 | 15.8
3
2 43 0 3182 — 448 b 5967 b 2.718 371862 136826
23 83 56 141 T 448 b 11695 b 1.078 21119 11703 17.6 | 11.7
4
2 32 0 2368 — 960 b 4320 b 2.718 205928 75776
24 59 58 119 F 960 b 9376 b 1.076 14985 7021 13.7 | 10.8
25 26 0 1924 — 1984 b 3442 b 2.717 135937 50024
25 43 50 111 F 1984 b 7301 b 1.085 11198 4773 12.1 | 10.5
26 22 0 1628 — 4032 b 2866 b 2.717 97322 35816
26 33 42 108 F 4032 b 5835 b 1.089 8824 3564 11.0 | 10.0
27 19 0 1406 — 8128 b 2440 b 2.717 72585 26714
27 26 32 113 F 8128 b 4550 b 1.107 7254 2938 10.0 | 9.1
28 16 0 1184 — 16320 b 2020 b 2.717 51469 18944
28 22 30 106 F 16320 b 4028 b 1.114 6139 2332 8.4 | 8.1
29 15 0 1110 — 32704 b 1883 b 2.717 45235 16650
29 19 28 101 F 32704 b 3609 b 1.121 5321 1919 8.5 | 8.7
210 13 0 962 — 65472 b 1609 b 2.717 33974 12506
210 17 31 88 F 65472 b 3593 b 1.113 4703 1496 7.2 | 8.4
211 12 0 888 — 131008 b 1473 b 2.716 28946 10656
211 15 27 89 F 131008 b 3155 b 1.126 4208 1335 6.9 | 8.0
212 11 0 814 — 262080 b 1340 b 2.716 24322 8954
212 13 18 106 F 262080 b 2413 b 1.165 3828 1378 6.4 | 6.5
213 10 0 740 — 524224 b 1207 b 2.716 20099 7400
213 12 20 94 F 524224 b 2436 b 1.153 3467 1128 5.8 | 6.6
214 10 0 740 — 1048512 b 1208 b 2.716 20099 7400
214 11 19 92 F 1048512 b 2276 b 1.157 3193 1012 6.3 | 7.3
215 9 0 666 — 2097088 b 1075 b 2.716 16279 5994
215 10 15 100 F 2097088 b 1934 b 1.191 2977 1000 5.5 | 6.0
216 8 0 592 — 4194240 b 944 b 2.716 12861 4736
216 10 22 79 F 4194240 b 2369 b 1.147 2898 790 4.4 | 6.0
References
1. Wouter Castryck, Tanja Lange, Chloe Martindale, Lorenz Panny, and Joost Renes.
CSIDH: An efficient post-quantum commutative group action. In ASIACRYPT,
volume 11274 of Lecture Notes in Computer Science, pages 395–427. Springer,
2018. https://ia.cr/2018/383.
2. Jean Marc Couveignes. Hard homogeneous spaces., 1997. IACR Cryptology ePrint
Archive 2006/291, https://ia.cr/2006/291.
3. Luca De Feo. Mathematics of isogeny based cryptography, 2017. https://defeo.
lu/ema2017/poly.pdf.
4. Luca De Feo and Steven D. Galbraith. SeaSign: Compact isogeny signatures from
class group actions, 2018. IACR Cryptology ePrint Archive 2018/824. https:
//ia.cr/2018/824.
5. Amos Fiat and Adi Shamir. How to prove yourself: Practical solutions to iden-
tification and signature problems. In CRYPTO, volume 263 of Lecture Notes in
Computer Science, pages 186–194. Springer, 1986.
6. David Jao, Reza Azarderakhsh, Matthew Campagna, Craig Costello, Luca De Feo,
Basil Hess, Amir Jalali, Brian Koziel, Brian LaMacchia, Patrick Longa, Michael
Naehrig, Joost Renes, Vladimir Soukharev, and David Urbanik. SIKE. Submission
to [10]. http://sike.org.
7. David Jao and Luca De Feo. Towards quantum-resistant cryptosystems from su-
persingular elliptic curve isogenies. In PQCrypto, volume 7071 of Lecture Notes in
Computer Science, pages 19–34. Springer, 2011. https://ia.cr/2011/506.
8. Vadim Lyubashevsky. Fiat-Shamir with aborts: Applications to lattice and
factoring-based signatures. In International Conference on the Theory and Ap-
plication of Cryptology and Information Security, pages 598–616. Springer, 2009.
9. Michael Meyer and Steffen Reith. A faster way to the CSIDH, 2018. To appear at
Indocrypt 2018. https://ia.cr/2018/782.
10. National Institute of Standards and Technology. Post-quantum cryptog-
raphy standardization, December 2016. https://csrc.nist.gov/Projects/
Post-Quantum-Cryptography/Post-Quantum-Cryptography-Standardization.
11. Alexander Rostovtsev and Anton Stolbunov. Public-key cryptosystem based on
isogenies, 2006. IACR Cryptology ePrint Archive 2006/145. https://ia.cr/2006/
145.
12. Peter W. Shor. Polynomial-time algorithms for prime factorization and discrete
logarithms on a quantum computer. SIAM J. Comput., 26(5):1484–1509, 1997.
https://arxiv.org/abs/quant-ph/9508027.
13. Anton Stolbunov. Constructing public-key cryptographic schemes based on class
group action on a set of isogenous elliptic curves. Adv. in Math. of Comm.,
4(2):215–235, 2010.
14. The Sage Developers. SageMath, the Sage Mathematics Software System (version
8.4), 2018. https://sagemath.org.
A Script for Table 1
#!/usr/bin/env sage
RR = RealField(1000)
secbits = 128
pbits = 512
csidhn, csidhB = 74, 5
isz = lambda d: 2*d*csidhB+1 # interval size
sigsize = lambda S, t, u, delta, var = ’O’: ceil(1/8 * (0
+ ceil(min(t+u, u*log(t+u,2), t*log(t+u,2))) # indices of rejections
+ ceil(log(S,2)*(t+u)) # hash of ephemeral public keys
+ pbits*u # rejected ephemeral public keys
+ t*ceil(log(isz(delta+(var==’F’))**csidhn,2)))) # revealed secret keys
pksize = lambda t, S: ceil(1/8 * (S-1)*pbits)
def Bin(n, p, k): # Pr[ Bin_n,p >= k ]

return sum(RR(1) * binomial(n, i) * p**i * (1-p)**(n-i) for i in range(k, n+1))
@cached_function
def joint_minmax_cdf(n, x, y, a, b):
# Pr that min and max of n independent uniformly random
# integers in [a;b] satisfy min <= x and max <= y.
if x < a or y < a: return 0
if y > b: y = b
return RR((y-a+1)/(b-a+1))**n - (RR((y-x)/(b-a+1))**n if x < y else 0)
@cached_function
def joint_minmax(n, x, y, a, b):
# Pr that min and max of n independent uniformly random
# integers in [a;b] satisfy min = x and max = y.
F = lambda xx, yy: joint_minmax_cdf(n, xx, yy, a, b)
return F(x,y) - F(x-1,y) - F(x,y-1) + F(x-1,y-1)
def prob_accept_original(delta, S):

# sample r from [-(delta+1)*B, (delta+1)*B];
# reject r and a_c-r outside [-delta*B; +delta*B]
return (isz(delta) / isz(delta+1)) ** csidhn # entries are independent
def prob_accept_full(delta, S):

# sample r from [-(delta+1)*B, (delta+1)*B];
# reject a_c-r outside [-delta*B; +delta*B]
prob = (isz(delta) / isz(delta+1)) ** csidhn # entries are independent
prob = 1/S*RR(1) + (S-1)/S*prob # can always reveal r
return prob
def prob_accept_truncate(delta, S):

prob = RR(0)
for x in range(-csidhB, csidhB + 1):
for y in range(x, csidhB + 1):
# Pr[min and max coeffs of S-1 secret keys are x and y]
weight = joint_minmax(S-1, x, y, -csidhB, +csidhB)
# sample from [min(0,x)-delta*B, max(0,y)+delta*B];
# reject outside [-delta*B; +delta*B]
prob += weight * isz(delta) / (isz(delta) + max(0,y) - min(0,x))
return prob ** csidhn # entries are independent
@cached_function
def max_u(t, S): # largest possible u for given S,t
u, F = 1, lambda u: Bin(t+u, 1/S, t)
while F(u) <= 2**-secbits: u *= 2
lo, hi = u//2, u+1
while hi - lo > 1:
m = (lo+hi+1)//2
if F(m) <= 2**-secbits: lo = m
else: hi = m
return lo
def prob_sign(t, u, sigma):
return Bin(t+u, sigma, t)
def exp_csidhs_sign(t, u, delta, S, prob):

pr_single = prob(delta, S)
pr_all = prob_sign(t, u, pr_single)
return (t+u) * delta / pr_all
def csidhs_verif(t, delta):

return t * delta
for s in range(1, 17):

S = 2**s
t = ceil(secbits/log(S,2)) - 1
last_umax = -1
best_time, no_progress = 1./0, 0

while True:
if no_progress >= max(16, t/8): break #XXX hack

t += 1
if Bin(t + 4*t, 1/S, t) < 2**-secbits: umax = 4*t #XXX hack

else: umax = max_u(t,S)
no_progress_inner = True
for variant in (’OTF’ if t == ceil(secbits/log(S,2)) else ’TF’):
for u in ([0] if variant == ’O’ else reversed(range(last_umax+1, umax+1))):
print >>sys.stderr, log(S,2), variant, t, u, no_progress
prob = {’O’: prob_accept_original,

’F’: prob_accept_full,
’T’: prob_accept_truncate}[variant]
@cached_function
def f(x): return exp_csidhs_sign(t, u, x, S, prob)
if variant == ’O’:
delta = csidhn * t
else:
_, delta = find_local_minimum(f, 1, 2**24, tol=1)
delta = min((floor(delta), ceil(delta)), key = f)
if f(delta) < best_time:

print (’logS={:2d} t={:3d} u={:3d} delta={:4d} {} ~> ’ \
’pksize={:9,d}b sigsize={:7,d}b ’ \
’tries={:8.6f} signCSIDHs={:9,d} verifCSIDHs={:9,d}’) \
.format(log(S,2), t, u, delta, variant,
pksize(t,S),
sigsize(S, t, u, delta, variant),
float(1 / prob_sign(t, u, prob(delta, S))),
round(f(delta)),
csidhs_verif(t, delta))
best_time = f(delta)
no_progress_inner = False
no_progress = no_progress + 1 if no_progress_inner else 0
last_umax = umax
90 SEASIGN 2.0
Chapter 7
Superspecial (2,2)-hash
functions
Obvious is the most dangerous

word in mathematics.
Eric Temple Bell
Publication data
Wouter Castryck and Thomas Decru and Benjamin Smith (2020). Hash
functions from superspecial genus-2 curves using Richelot isogenies. J. Math.
Cryptol., 14(1), 268–292.
Own contribution
My main contributions are the implementation of the hash function as well as

writing several sections of the paper such as the example G13 .
91
HASH FUNCTIONS FROM SUPERSPECIAL GENUS-2 CURVES
USING RICHELOT ISOGENIES
WOUTER CASTRYCK, THOMAS DECRU, AND BENJAMIN SMITH
Abstract. In 2018 Takashima proposed a version of Charles, Goren and

Lauter’s hash function using Richelot isogenies, starting from a genus-2 curve
that allows for all subsequent arithmetic to be performed over a quadratic finite
field Fp2 . In 2019 Flynn and Ti pointed out that Takashima’s hash function
is insecure due to the existence of small isogeny cycles. We revisit the con-
struction and show that it can be repaired by imposing a simple restriction,
which moreover clarifies the security analysis. The runtime of the resulting
hash function is dominated by the extraction of 3 square roots for every block
of 3 bits of the message, as compared to one square root per bit in the elliptic
curve case; however in our setting the extractions can be parallelized and are
done in a finite field whose bit size is reduced by a factor 3. Along the way
we argue that the full supersingular isogeny graph is the wrong context in
which to study higher-dimensional analogues of Charles, Goren and Lauter’s
hash function, and advocate the use of the superspecial subgraph, which is the
natural framework in which to view Takashima’s Fp2 -friendly starting curve.
1. Introduction
After a cautious start with Couveignes’ unpublished note [10] from 1997 and
Stolbunov’s master thesis [32] from 2004, the area of isogeny-based cryptography
took a more visible turn in 2006 when Charles, Goren and Lauter [8] showed how
to construct collision-resistant hash functions from deterministic walks in isogeny
graphs of supersingular elliptic curves over finite fields. Five years later Jao and De
Feo applied similar ideas to the design of a key exchange protocol [23, 12] now known
as SIDH, after which isogenies became a very active topic of cryptographic research,
largely due to their promise of leading to quantum resistant hard problems. Some of
the recent constructions include non-interactive key exchange [13, 6], signatures [11,
15, 2] and verifiable delay functions [14]. In January 2019 SIKE [1], which is an
incarnation of SIDH, was chosen as one of the seventeen second-round contenders
to become a NIST standard for post-quantum key establishment.1
While almost all of the ongoing research in isogeny-based cryptography is de-
voted to elliptic curves, there is a general awareness that many proposals should
generalize to principally polarized abelian varieties (e.g., jacobians) of arbitrary
dimension. This particularly applies to the supersingular isogeny walks on which
SIDH and Charles, Goren and Lauter’s hash function are based. In fact, in a
follow-up paper [7, §6.2] the latter authors already hint at the possibility of a
higher-dimensional analogue of their hash function. In 2018, Takashima [33, §4.2]
made the concrete proposal of using jacobians of supersingular genus-2 curves and
1
See https://csrc.nist.gov/projects/post-quantum-cryptography/round-2-submissions.
1
2 WOUTER CASTRYCK, THOMAS DECRU, AND BENJAMIN SMITH
their 15 outgoing (2, 2)-isogenies, which can be evaluated efficiently through Rich-
elot’s formulas. By disallowing backtracking he uses this to process one base-14
digit for each isogeny evaluation. Moreover he provides specific starting curves,
such as y 2 = x5 + 1 over Fp with p ≡ 4 mod 5, which allow for all computations to
be done over Fp2 , as was shown by himself and Yoshida about a decade ago [34].
Unfortunately Takashima’s hash function is not collision-resistant due to the inher-
ent presence of small cycles in the resulting isogeny graph, as was pointed out very
recently by Flynn and Ti [18], who then proceeded with studying a genus-2 variant
of SIDH.
The contributions of this paper are as follows. First, in Section 2 we argue that
the full supersingular isogeny graph is the wrong arena for higher-dimensional ana-
logues of Charles, Goren and Lauter’s hash function, and promote the use of super-
special subgraphs. In doing so we give a natural explanation for why Takashima and
Yoshida’s starting curve indeed allows for all subsequent arithmetic to be carried
out in Fp2 . Second, some first properties of the (2, 2)-isogeny graph of superspe-
cial principally polarized abelian surfaces are gathered and proved in Section 4 and
Appendix A. Third and foremost, we repair Takashima’s hash function by showing
that an extremely simple restriction (which still allows us to process one base-8
digit, i.e., 3 bits per isogeny) both prevents the Flynn–Ti attack and simplifies the
reasoning on security; we also show that with high probability, the starting curve
y 2 = (x2 − 1)(x2 − 2x)(x − 1/2) over Fp with p ≡ 5 mod 6 naturally avoids running
into products of elliptic curves, which as we will see are technical nuisances. The
details can be found in Section 6 and Section 7. In Sections 8 and 9 we report on
an implementation in Magma and compare its performance with the elliptic curve
case of Charles, Goren and Lauter.
Why generalize? Besides scientific curiosity, we see a number of motivations for

investigating higher-dimensional isogeny-based cryptography:
(1) There seem to exist beneficial trade-offs between the larger computational
cost of each isogeny evaluation and features such as larger graph sizes,
higher numbers of outgoing isogenies, or arithmetic in smaller finite fields.
As an illustration of this, we note that in Charles, Goren and Lauter’s hash
function one needs to compute one square root for each digested bit, while
our proposal uses 3 square roots per 3 bits, which seems like no improvement
at all, except that our square roots are to be extracted in finite fields of
about one third of the bit size and can be handled in parallel. See Section 9
for some further comments on this.
(2) The fact that higher-dimensional abelian varieties have torsion subgroups
of larger rank may allow for a symmetric set-up of SIDH in which Alice
and Bob sample their secrets from the same space (but this is not touched
upon in the current paper).
2. Supersingular versus superspecial

One apparent point of concern is that in the case of elliptic curves over a fi-
nite field of characteristic p, supersingularity has many equivalent characteriza-
tions whose natural generalizations to higher dimension become distinct notions.
For instance, one such characterization reads that the trace t of Frobenius satisfies
t ≡ 0 mod p, which naturally generalizes to the requirement that the Hasse–Witt
HASH FUNCTIONS FROM SUPERSPECIAL GENUS-2 CURVES 3
matrix M ∈ Fg×g p vanishes identically, this notion is called superspeciality.2 An al-

ternative characterization states that the Newton polygon is a straight line segment
with slope 1/2; this property makes sense in arbitrary dimension where it is still
called supersingularity, but in dimension g ≥ 2 this is a weaker condition than su-
perspeciality. A third characterization is that there exists no non-trivial p-torsion.
This also makes sense in arbitrary dimension but in dimension g ≥ 3 it weakens
the notion of supersingularity. A curve is called superspecial or supersingular if its
accompanying jacobian is superspecial or supersingular respectively.
We refer to Li and Oort’s book [28] and to Brock’s thesis [3] and the references
therein for general facts on supersingularity and superspeciality. Most notably, it
can be shown that an abelian variety is supersingular if and only if it is isogenous
to a product of supersingular elliptic curves, while it is superspecial if and only if
it is isomorphic to such a product. Remarkably enough, in dimension g ≥ 2 all
such products are isomorphic to each other, see e.g. [3, Thm. 2.1A] or [28, p. 13].
However, here we stress that ‘isogenous’ and ‘isomorphic’ should be understood in
the context of abstract abelian varieties over Fp , discarding the principal polariza-
tion with which they may come equipped. In contrast, as p grows there exist many
isomorphism classes of superspecial principally polarized abelian varieties, such as
jacobians of superspecial curves: see Proposition 2 below for a precise count for
g = 2.3 We will abbreviate principal polarization to p.p. from now on and will also
assume that a product of elliptic curves always comes with the product polarization,
unless stated otherwise.
We believe that the full graph of supersingular p.p. abelian varieties is the wrong
context in which to study Charles–Goren–Lauter hash functions in dimension g ≥ 2.
Instead we argue for use of the superspecial subgraph. Indeed, the moduli space of
supersingular p.p. abelian varieties over Fp is bg 2 /4c-dimensional [28, 4.9], whereas
the superspecial sublocus is 0-dimensional [3, Thm. 3.9A]. The latter implies that
there is only a finite number of them and, furthermore, they all admit a model over
Fp2 whose Frobenius endomorphism has characteristic polynomial χ(t) = (t ± p)2g ,
in particular it acts as multiplication by ±p; see [21]. Assuming that p is odd,
this implies that all 2-torsion is Fp2 -rational, hence so are all (2, 2, . . . , 2)-isogenies
and their codomains. By [3, Lem. 2.2A] these are again superspecial p.p. abelian
varieties whose Frobenius has the same characteristic polynomial, so the argument
repeats and we conclude that the full superspecial (2, 2, . . . , 2)-isogeny graph is
defined over Fp2 . In fact, this is just an illustration of the general phenomenon that
the rank of the Hasse–Witt matrix is invariant under separable isogenies, a proof
of which can be found in Appendix C.
This clarifies the aforementioned observation by Takashima and Yoshida, whose
starting curves are indeed superspecial. Several more examples of superspecial
genus-2 curves over Fp can be found in [22], including y 2 = x5 − x which is super-
special if and only if p ≡ 5 or 7 mod 8, and y 2 = (x2 − 1)(x2 − 2x)(x − 1/2) which
is superspecial if and only if p ≡ 5 mod 6. In characteristics 2 and 3 superspecial
2For an arbitrary abelian variety A, being superspecial means that Frobenius acts as the zero
map on H 1 (A, OA ). If A is the jacobian of a curve then this amounts to the Hasse–Witt matrix
being zero.
3We refer the reader, e.g., to Howe’s paper [19] for examples of jacobians that become isomor-
phic when the polarization is dropped.
genus-2 curves do not exist. In general it seems unknown how to write down the
equation of a random superspecial genus-2 curve.
Note that superspecial p.p. abelian varieties were also considered in Charles,
Goren and Lauter’s follow-up paper [7], albeit in a more theoretical context and
using different edge and vertex sets for the associated graphs.
3. Further preliminaries
3.1. Hyperelliptic curves of genus 2. Let K be a field of characteristic p > 5. A
(hyperelliptic) curve of genus 2 over K is an algebraic curve defined by an equation
of the form y 2 = f (x), where f (x) ∈ K[x] is a squarefree polynomial of degree 5
or 6. Up to K-isomorphism, any genus-2 curve has a representation with a monic
polynomial of degree 6 and we will mostly work with these representations since it
eases up the notation quite a bit. All formulas provided still work with a degree
5 polynomial if one sees the missing linear factor as 0 · x + 1. A genus-2 curve is
completely determined (up to K-isomorphism) by weighted projective invariants
called Igusa invariants. Since we only work over odd-characteristic fields, we opt to
characterize them with the absolute Igusa variants defined in [5]. For our discussion
it suffices to know that these invariants consist of an ordered triple (j1 , j2 , j3 ) ∈ K 3 .
3.2. Richelot isogenies. A Richelot isogeny is a (2, 2)-isogeny between jacobians
of genus-2 curves, i.e. the kernel of the isogeny is a group isomorphic to Z/2Z⊕Z/2Z
that is maximal isotropic with regards to the 2-Weil pairing. Richelot isogenies
split multiplication-by-2, in the sense that each Richelot isogeny φ : JC → JC 0 has
a unique dual Richelot isogeny φ̂ : JC 0 → JC , and φ̂ ◦ φ = [2]JC . We recall here
some of the facts about Richelot isogenies that are relevant to our construction; for
a more in-depth discussion and a proof of Proposition 1, we refer to [31, Chapter 8].
Q6
The 2-torsion of the jacobian of the genus-2 curve C : y 2 = f (x) = i=1 (x−αi ) is
{0}∪{[(αi , 0)−(αj , 0)] : i < j}, where the square brackets denote linear equivalence
classes of divisors. A subgroup of the 2-torsion being maximal isotropic with regards
to the 2-Weil pairing in this context simply means that the group contains exactly
3 non-trivial elements and that all αi , 1 ≤ i ≤ 6, occur exactly once in all the
representations combined. Hence the Richelot isogenies can be represented by sets
of quadratic factors of f (x) that are pairwise coprime. More precisely, we define:
Definition 1. A quadratic splitting of a squarefree degree 6 (resp. degree 5) poly-
nomial f (x) ∈ K[x] is an unordered triple {G1 , G2 , G3 } ⊂ K[x] of quadratic (resp.
two quadratic and one linear) polynomials such that G1 G2 G3 = f (x), considered
modulo the equivalence
×
{G1 , G2 , G3 } ∼ {βG1 , γG2 , (βγ)−1 G3 } for all β, γ ∈ K .
Returning to the above setting, let us write

 2
G1 = g1,3 x + g1,2 x + g1,1 = (x − α1 )(x − α2 ),
G2 = g2,3 x2 + g2,2 x + g2,1 = (x − α3 )(x − α4 ),


G3 = g3,3 x2 + g3,2 x + g3,1 = (x − α5 )(x − α6 ),
where we incorporate the leading coefficients gi,3 for the sake of generality (e.g., to
cope with the degree 5 case where one of the gi,3 ’s becomes zero). Then one sees
that the (2, 2)-isogeny with kernel {0, [(α1 , 0) − (α2 , 0)], [(α3 , 0) − (α4 , 0)], [(α5 , 0) −
(α6 , 0)]} can be identified by the quadratic splitting {G1 , G2 , G3 } of f (x).
There are 15 possible ways of organizing the roots αi into distinct quadratic
splittings. It is possible that the resulting quadratics are only defined over an
extension of the field over which our curve C is defined, in which case both the
corresponding (2, 2)-isogeny and its codomain also might be defined over this field
extension. Nevertheless, if the splitting is fixed by Frobenius as a set, then the
isogeny and codomain are defined over the ground field. As mentioned in Section 2,
in the case of superspecial p.p. abelian surfaces, all domains, kernels, (2, 2)-isogenies
and associated codomains are defined over Fp2 up to isomorphism.
Proposition 1. Let C : y 2 = G1 (x) · G2 (x) · G3 (x) be a genus-2 curve, with
{G1 , G2 , G3 } the quadratic splitting associated with a maximal 2-Weil isotropic
subgroup S ⊂ JC [2], and let φ : JC → A ∼ = JC /S be the quotient (2, 2)-isogeny.
Following the notation above, let
 
g1,3 g1,2 g1,1
δ := det g2,3 g2,2 g2,1  .
g3,3 g3,2 g3,1
(1) If δ 6= 0, then A is isomorphic to the jacobian of the genus-2 curve
C 0 : y 2 = δ −1 H1 (x) · H2 (x) · H3 (x)
where
H1 := G02 G3 − G2 G03 , H2 := G03 G1 − G3 G01 , H3 := G01 G2 − G1 G02 ,
where G0iis the derivative of Gi with respect to x. Moreover, {H1 , H2 , H3 }
is a quadratic splitting corresponding to the dual isogeny φ̂ : JC 0 → JC .
(2) If δ = 0, then A is isomorphic to a product of elliptic curves E1 × E2 . The
vanishing of the determinant δ implies that there exist s1 and s2 in Fp2
such that
Gi = ai,1 (x − s1 )2 + ai,2 (x − s2 )2
for some ai,1 and ai,2 in Fp2 for i = 1, 2, 3. The elliptic curves forming the
product isomorphic to A can be defined by the equations
3
Y 3
Y
E1 : y 2 = (ai,1 x + ai,2 ) , E2 : y 2 = (ai,1 + ai,2 x) ,
i=1 i=1
and the isogeny φ is induced by φ1 × φ2 , where φ1 : C → E1 is (x, y) 7→

((x−s1 )2 /(x−s2 )2 , y/(x−s2 )3 ) and φ1 : C → E2 is (x, y) 7→ ((x−s2 )2 /(x−
s1 )2 , y/(x − s1 )3 ).
3.3. (2,2)-isogenies from products of elliptic curves. We have treated the
case of (2, 2)-isogenies whose domain is a jacobian; now we recall the corresponding
results for the case where the domain is a product of elliptic curves. For proofs and
more in-depth discussion, we refer to [20], [25] and [4].
Consider the p.p. abelian surface E1 × E2 given by the equations
3
Y 3
Y
E1 : y 2 = (x − αi ) , E2 : y 2 = (x − βi ) .
i=1 i=1
Just as in the case of jacobians of genus-2 curves, there are 15 outgoing (2, 2)-
isogenies with domain E1 × E2 . Of these, 9 correspond to an isogeny that is the
product of 2-isogenies on the respective elliptic curves, such that the image of this
isogeny is again simply a product of elliptic curves. The other 6 determine an

isogeny where the kernel is given by
κ = {(OE1 , OE2 ), (P1 , Qσ(1) ), (P2 , Qσ(2) ), (P3 , Qσ(3) )},
with OE1 and OE2 are the neutral elements of E1 and E2 , respectively, σ is a
permutation of {1, 2, 3}, and Pi = (αi , 0), Qi = (βi , 0).4 As long as κ is not the
restriction of the graph of an isomorphism E1 → E2 , the image of the isogeny
determined by κ is the jacobian of a genus-2 curve which can be constructed as
follows. Define ∆α and ∆β as the discriminants of the monic cubic polynomials
Q3 Q3
i=1 (x − αi ) and i=1 (x − βi ) respectively, and
a1 = (α3 − α2 )2 /(β3 − β2 ) + (α2 − α1 )2 /(β2 − β1 ) + (α1 − α3 )2 /(β1 − β3 ),

b1 = (β3 − β2 )2 /(α3 − α2 ) + (β2 − β1 )2 /(α2 − α1 ) + (β1 − β3 )2 /(α1 − α3 ),
a2 = α1 (β3 − β2 ) + α2 (β1 − β3 ) + α3 (β2 − β1 ),
b2 = β1 (α3 − α2 ) + β2 (α1 − α3 ) + β3 (α2 − α1 ).
It can be proved that ∆α , ∆β , a1 , b1 , a2 , b2 are all nonzero, such that A = ∆β a1 /a2

and B = ∆α b1 /b2 are well defined and nonzero as well. With these notations in
mind, the image of the (2, 2)-isogeny with kernel κ is the jacobian of the genus-2
curve given by the equation

y 2 = − A(α2 − α1 )(α1 − α3 )x2 + B(β2 − β1 )(β1 − β3 )

· A(α3 − α2 )(α2 − α1 )x2 + B(β3 − β2 )(β2 − β1 )

· A(α1 − α3 )(α3 − α2 )x2 + B(β1 − β3 )(β3 − β2 ) .
The three factors on the right hand side constitute a quadratic splitting for the
dual isogeny back to E1 × E2 ; note in particular that these factors are multiples of
each other so that the corresponding value of δ is indeed 0.
The final case to consider is when we want to construct an isogeny with domain
an abelian surface of the form E1 × E2 , with E1 ∼
= E2 , and of which the kernel κ is
the restriction of the graph of an isomorphism α : E1 → E2 . The codomain is then
the same as the domain and the (2, 2)-isogeny is given by
φ : E1 × E2 → E1 × E2
(P, Q) 7→ (P + α̂(Q), −Q + α(P )),
which is clearly self-dual.

In particular, if E1 ∼
= E2 we will have strictly fewer than six (2, 2)-isogenies from
E1 × E2 to the jacobian of a genus-2 curve. The exact number in this case is given
by the formula 6 − #Aut(E1 )/2. If the j-invariant of E1 is 0 or 1728 then this
expression is 3 or 4, respectively (under the assumption that p > 3). In all other
cases this expression is 5 since the only automorphisms are ±1.
4Note that there are other subgroups of E × E isomorphic to Z/2Z ⊕ Z/2Z, such as
1 2
{(OE1 , OE2 ), (P1 , OE2 ), (P2 , OE2 ), (P3 , OE2 )}, but they are not maximal isotropic with regards
to the 2-Weil pairing so are not the kernel of a (2,2)-isogeny.
4. The superspecial (2, 2)-isogeny graph

For each prime p, we define a directed multigraph Gp as follows.5 The vertices of
Gp represent the isomorphism classes of superspecial p.p. abelian surfaces defined
over Fp . The graph Gp has an edge from vertex A1 to vertex A2 for every (2, 2)-
isogeny from the superspecial p.p. abelian surface corresponding to A1 to the one
corresponding to A2 , again up to isomorphism. Here, isomorphisms of outgoing
(2, 2)-isogenies are commutative diagrams
φ
A1 A2
φ0
ι
A02
where φ and φ0 are (2, 2)-isogenies and ι is an isomorphism of superspecial p.p.
abelian surfaces. Since the isomorphism class of an outgoing isogeny is uniquely
determined by its kernel, this simply means that we have an outgoing edge for each
(2, 2)-subgroup of A1 , i.e., each subgroup that is isomorphic to Z/2Z ⊕ Z/2Z and
maximal isotropic with regards to the 2-Weil pairing.
By construction, Gp is a 15-regular (multi)graph, since both types of superspecial
p.p. abelian surfaces have 15 different outgoing (2, 2)-isogenies. One might simplify
the situation by combining parallel edges to turn Gp into a simple directed graph,
but for our application we will need to distinguish between all 15 outgoing edges.
In any case, for large p the number of parallel edges is expected to be negligible
relative to the size of the graph (for very small p, where there are few superspecial
p.p. abelian surfaces, the opposite holds—as we will see in §5).
Since every p.p. abelian surface is isomorphic (as a polarized abelian variety) to
either the jacobian of a genus-2 curve or a product of elliptic curves, the vertices of
Gp fall into two classes:
V (Gp ) = Ep t Jp ,
where Ep is the set of isomorphism classes corresponding to products of supersingu-
lar elliptic curves, and Jp is the set of isomorphism classes of superspecial genus-2
jacobians. Proposition 2 gives us the cardinalities of these subsets.
Proposition 2. Let Gp , Ep , and Jp be defined as above.
• If p = 2 or 3, then #Jp = 0 and #Ep = 1.
• If p = 5, then #Jp = 1 and #Ep = 1.
• If p > 5, then
p3 + 24p2 + 141p − 346
#Jp = + δp
2880
5Every (2, 2)-isogeny φ : A → A has a unique dual (2, 2)-isogeny φ̂ : A → A , so one might
1 2 2 1
think that we could easily treat Gp as an undirected graph. Unfortunately, this may fail if A1
has automorphisms different from ±1. Indeed, in that case it is possible that two non-isomorphic
(2, 2)-isogenies φ : A1 → A2 and ψ : A1 → A2 are obtained from each other by pre-composition
with such an automorphism, so that their duals are obtained from one another by post-composition
with this automorphism (more precisely if φ = ψ ◦ α then φ̂ = α−1 ◦ ψ̂). So these duals have
the same kernel, hence they are isomorphic. In the elliptic curve case, this technicality can be
combated by choosing p ≡ 1 mod 12, since then the automorphisms of all curves are always ±1.
In the case of superspecial genus-2 curves, however, no such convenient restriction exists: there
are jacobians with a different number of automorphisms for any prime p [22].
and

1 p−1 p−1
#Ep = + p + p + 1 ,
2 12 12
881

where δp ∈ [0, 720 ] depends only on p mod 120 and p ∈ 0, 76 depends only
on p mod 12.
Proof. The values for #Jp appear in [3, Theorem 3.10(b)] or [22, Theorem 3.3].
The formulas for #Ep follow from the fact that up to Fp -isomorphism, the number
of supersingular elliptic curves over Fp is (p − 1)/12 + p , where p ∈ 0, 76 depends
only on p mod 12 (see for example [30, Section V, Theorem 4.1(c)]).
Proposition 2 implies that Gp is a finite graph, although this could already be
derived from the fact that every isomorphism class of superspecial p.p. abelian
surfaces has a representative defined over Fp2 . Asymptotically, we have
#Gp ∼ p3 /2880 , #Ep ∼ p2 /288 , #Jp ∼ p3 /2880 .
In particular, the proportion of superspecial p.p. abelian surfaces that are the prod-
uct of two supersingular elliptic curves is O(1/p) relative to the total size of the
graph: for p large, the number of vertices in Gp that are not in Jp is negligible.
Informally, when p is large, one could see Ep as the “boundary” of the graph Gp ,
and Jp as the “interior”. A first reason is the size argument we just made. A second
reason is the connectivity of the 2 types of superspecial p.p. abelian surfaces that
we briefly touched on in the preliminaries. Indeed, every product of elliptic curves
has at least 9 out of 15 (2, 2)-isogenies that have a codomain that is a product of
elliptic curves as well, hence this part of our graph is very well connected while only
making up a fraction of our graph. Vice versa there is also no jacobian of a genus-2
curve that could be “hiding” in between the products of elliptic curves, which we
can make precise with the following theorem.
Theorem 1. With the notation above:
(1) Suppose p 6= 5. If J is a vertex in Jp ⊂ Gp , then (counting multiplicity) at
most 6 of the 15 edges out of J are to vertices in Ep .
(2) If E is a vertex in Ep ⊂ Gp , then (counting multiplicity) at most 6 of the
15 edges out of E are to vertices in Jp .
Proof. Part (2) of this theorem was mentioned in the preliminaries; it follows from
the fact that 9 out of 15 (2, 2)-isogenies are simply a product of 2-isogenies from
the elliptic factors. A proof of a more general formula can be found in [25]. For a
proof of Part (1) using Gröbner bases, see Appendix A.6
A simple counting argument then tells us that for sufficiently large p, the chance
of a vertex in Jp having a neighbour in Ep in our graph Gp is negligible. Intuitively
this makes sense, since the δ in Proposition 1 is the determinant of a seemingly
random 3 × 3 matrix for large p, and will therefore almost surely be nonzero.
We now state a pair of conjectures inspired by analogous theorems for the elliptic
supersingular 2-isogeny graph.
Conjecture 1. The graph Gp is connected.
6In recent work revisiting an online version of the current paper, Katsura and Takashima
strengthen Theorem 1 by giving more precise counts, along with a more conceptual proof of
Part (1); see [26].
Conjecture 1 is the most natural from a mathematical point of view, but we will
need something stronger for a more efficient implementation of a collision-free hash
function. We mainly state it due to the analogy with the elliptic curve case.
Conjecture 2. The subgraph of Gp supported on Jp is connected.
Conjecture 2 (which is identical to Conjecture 1 in the elliptic case) is more rele-
vant to our discussion. It implies that Ep not only makes no significant contribution
to the size of Gp as p → ∞, but it is also not essential for connectivity. (Thus, again,
we consider Ep to be the “boundary” of Gp .) Conjecture 2 implies Conjecture 1, since
every vertex in Ep has at least 4 outgoing edges into Jp for p > 3 (as mentioned in
the preliminaries). Similarly, Conjecture 2 follows from Conjecture 3 in Section 6,
for which we have verified correctness up to and including p equal 1013.
As a final note, one may wonder if all non-superspecial supersingular p.p. abelian
surfaces also form a similar connected component (which is necessarily infinite).7
Since we will not use these abelian surfaces, we will not explore that thought further.
5. The graph G13

We now give a small example to show the possible case distinctions that can
occur in the graphs Gp . We take p = 13, since this yields a small graph that still
exhibits most of the subtleties and pathologies that we encounter in larger graphs.
Figure 1 shows G13 . There are 3 superspecial genus-2 curves defined over F13 up
to isomorphism, say Ci for i in {1, 2, 3}; we denote their jacobians by JCi . There
is only 1 supersingular elliptic curve defined over F13 up to isomorphism, say E, so
there is only one vertex in G13 that corresponds to a product of elliptic curves.
First of all it is easily verifiable that there are at most 6 outgoing edges from any
JCi to E × E, see Appendix A. Furthermore, since clearly E ∼ = E, there are strictly
fewer than 6 outgoing edges from E × E to jacobians of genus-2 curves. Since the
j-invariant of E is not in {0, 1728}, we know from subsection 3.3 that there are
exactly 5 such edges, so the remaining 10 must go to products of elliptic curves as
well, which here (by lack of other options) means a loop with multiplicity 10.
This example also shows clearly why direction is important in the graph. There
are 4 edges from JC1 to JC2 , but only 1 edge back. In other words C1 : y 2 =
5
x − x has 4 quadratic splittings whose associated Richelot isogenies have JC2 as
codomain,8 while starting from any Weierstraß equation for C2 , only one quadratic
splitting gives rise to a Richelot isogeny with JC1 as codomain. This stems from
the fact that the 4 corresponding (2, 2)-subgroups of JC1 are mapped to each other
by an automorphism of JC1 . In other words the 4 resulting isogenies
φ1 , . . . , φ4 : JC1 → JC2
are obtained from one another by pre-composition with such an automorphism.
But then their duals
φˆ1 , . . . , φˆ4 : JC → JC
2 1
are obtained from each other by post-composition with an automorphism. In par-

ticular they have the same kernel or, equivalently, they correspond to the same
quadratic splitting.
7More generally, in view of Appendix C one can wonder whether all supersingular genus-g
curves having a given Hasse–Witt rank can be connected using a chain of (2, 2, . . . , 2)-isogenies.
8Up to isomorphism, that is: the resulting equations for the curve C are in fact different, but
2
the absolute Igusa invariants are the same.
JC2
1 4
4 6
5 JC1 3 2 JC3 9
1 2
6 2
E×E
10
Figure 1. The graph G13 . The vertices JCi , i ∈ {1, 2, 3}, corre-
spond to jacobians of genus-2 curves, whereas the vertex E × E
corresponds to a product of elliptic curves. The numbers indicate
the multiplicities of the edges.
The only phenomenon missing in this graph is a vertex corresponding to a prod-

uct of non-isomorphic elliptic curves. Such vertices always have 9 outgoing edges
(possibly loops) to other vertices in Ep , and 6 outgoing edges to vertices in Jp . The
smallest example where this occurs is the graph G17 , which already has double the
number of vertices of G13 .
6. A special class of paths in Gp

We are interested in the kinds of isogenies that are represented by paths in Gp :
that is, the compositions of isogenies corresponding to adjacent edges.
First, fix a single edge φ1 : A0 → A1 in Gp . By definition, φ1 represents (up to
isomorphism) a (2, 2)-isogeny: that is, an isogeny whose kernel is a maximal 2-Weil
isotropic subgroup of A0 [2], hence isomorphic to (Z/2Z)2 .
Now, consider the set of edges leaving A1 : these correspond to (2, 2)-isogenies
that may be composed with φ1 . We know that (counting multiplicity) there are
fifteen such edges. These edges fall naturally into three classes relative to φ1 ,
according to the structure of the kernel of the composed isogeny (which, in each
case, is a maximal 4-Weil isotropic subgroup of A0 [4]).
Definition 2. Let φ1 : A0 → A1 and φ2 : A1 → A2 be edges in Gp .

• We say that φ2 is the (necessarily unique) dual extension of φ1 if ker(φ2 ◦
φ1 ) ∼
= (Z/2Z)4 , so φ2 ◦φ1 is a (2, 2, 2, 2)-isogeny (hence isomorphic to [2]A0 ).
In this case, ker φ2 = φ1 (A0 [2]).
• We say that φ2 is a bad extension of φ1 if ker(φ2 ◦φ1 ) ∼ = (Z/4Z)×(Z/2Z)2 ,

so φ2 ◦ φ1 is a (4, 2, 2)-isogeny. In this case (ker φ2 ) ∩ φ1 (A0 [2]) ∼
= Z/2Z,
and there are precisely 6 bad extensions of any given φ1 .
• We say that φ2 is a good extension of φ1 if ker(φ2 ◦ φ1 ) ∼ = (Z/4Z)2 , so
φ2 ◦ φ1 is a (4, 4)-isogeny. In this case (ker φ2 ) ∩ φ1 (A0 [2]) = 0, and there
are precisely 8 good extensions of any φ1 .
Remark 1. In [31, Definition 9.2.1], good extensions are called cyclic and bad
extensions are called acyclic. We prefer the good/bad terminology here to avoid
confusion with the notion of composing isogenies to form eventual cycles in Gp ; the
reason why good is good and bad is bad will become clear in Section 7.
We have seen how the three kinds of extensions
φ1 φ2
A0 −→ A1 −→ A2
can be distinguished by how the kernel of φ2 intersects with the image of A0 [2]
under φ1 . We can make these criteria more explicit in terms of the Richelot isogeny
formulas.
6.1. Extensions of isogenies from Jp to Jp . Recall the construction of Richelot

isogenies φ1 : JC0 → JC1 from Proposition 1: given the curve C0 : y 2 = G1 · G2 · G3 ,
we set
H1 := G02 G3 − G03 G2 , H2 := G03 G1 − G01 G3 , H3 := G01 G2 − G02 G1 .
The curve C1 is defined by C1 : y 2 = δ −1 · H1 · H2 · H3 where δ := det(G1 , G2 , G3 ).

The kernel of φ1 corresponds to {G1 , G2 , G3 }, and the subgroup φ1 (JC0 [2]) ⊂ JC1 [2]
corresponds to {H1 , H2 , H3 }.
Proposition 3. With the notation above: if
H1 = L1 · L2 , H2 = L3 · L4 , H3 = L5 · L6 ,
with the Li all linear (except possibly for one constant Li in the case where H1 H2 H3
is quintic), then the good extensions of φ1 are the Richelot isogenies with kernels
corresponding to one of the following factorizations of H1 H2 H3 :
(L1 L3 , L2 L5 , L4 L6 ), (L1 L3 , L2 L6 , L4 L5 ),
(L1 L4 , L2 L5 , L3 L6 ), (L1 L4 , L2 L6 , L3 L5 ),
(L1 L5 , L2 L3 , L4 L6 ), (L1 L5 , L2 L4 , L3 L6 ),
(L1 L6 , L2 L3 , L4 L5 ), (L1 L6 , L2 L4 , L3 L5 ).
Proof. The quadratic splitting {H1 , H2 , H3 } corresponds to the subgroup of JC1 [2]
which is the kernel of the dual φ̂1 , and also the image φ1 (JC0 [2]). The good exten-
sions of φ1 are those whose kernel intersects trivially with φ1 (JC0 [2]); they therefore
correspond to the quadratic splittings with no quadratics proportional to any of the
Hi . The list of 8 splittings above follows from direct calculation.
We now discuss the good extensions of isogenies involving products of elliptic

curves. This is mainly for the sake of completeness, because in our proposed hash
function below, these cases will not be implemented.
6.2. Extensions of isogenies from Jp to Ep . Recall from the preliminaries that

for a (2, 2)-isogeny φ1 : JC0 → E1 × E2 , the domain can be written as the jacobian
of a curve C0 : y 2 = G1 G2 G3 , where
Gi = ai,1 (x − s1 )2 + ai,2 (x − s2 )2
for certain s1 , s2 , ai,1 , ai,2 ∈ Fp2 for i = 1, 2, 3. The elliptic curves determining the
codomain can then be defined by the equations
3
Y 3
Y
E1 : y 2 = (ai,1 x + ai,2 ) , E2 : y 2 = (ai,1 + ai,2 x) .
i=1 i=1
For i = 1, 2, 3 we will write {αi , αi0 } for the roots of Gi , Pi = (−ai,2 /ai,1 , 0) for the
Weierstraß points of E1 , Qi = (−ai,1 /ai,2 , 0) for the Weierstraß points of E2 , and
OE1 and OE2 for the neutral element of respectively E1 and E2 .
Proposition 4. With the notation above, the good extensions of φ1 are the (2, 2)-
isogenies with kernel one of the 6 combinations
{(OE1 , OE2 ), (Pi , OE2 ), (OE1 , Qj ), (Pi , Qj )},
for i 6= j in {1, 2, 3}, or one of
{(OE1 , OE2 ), (P1 , Q2 ), (P2 , Q3 ), (P3 , Q1 )},
{(OE1 , OE2 ), (P1 , Q3 ), (P2 , Q1 ), (P3 , Q2 )}.
Proof. The proof of the formulas in [31, Proposition 8.3.1] shows that, for {i, j, k} =
{1, 2, 3}, the 2-torsion elements [(αi , 0)−(αj , 0)], [(αi , 0)−(αj0 , 0)], [(αi0 , 0)−(αj , 0)],
[(αi0 , 0) − (αj0 , 0)] get mapped to (Pk , Qk ) in E1 × E2 . So the good extensions of φ1
are the isogenies whose kernels intersect
φ1 (JC0 [2]) = {(OE1 , OE2 ), (P1 , Q1 ), (P2 , Q2 ), (P3 , Q3 )}
trivially, which are exactly the ones listed.
Note that in the previous proposition, the 6 good extensions of the first type
always have a product of elliptic curves as codomain. The other 2 will typically be
to a jacobian of a genus-2 curve, unless E1 ∼ = E2 and the given kernel is contained
in the graph of an isomorphism θ : E1 → E2 , i.e. the kernel can be written as
{(OE1 , OE2 ), (P1 , θ(P1 )), (P2 , θ(P2 )), (P3 , θ(P3 ))}.
6.3. Extensions of isogenies from Ep to Jp . Recall from the preliminaries that
every (2, 2)-isogeny φ1 : E1 × E2 → JC1 , with
3
Y 3
Y
E1 : y 2 = (x − αi ) and E2 : y 2 = (x − βi ) ,
i=1 i=1
always has as codomain the jacobian of a genus-2 curve C1 that can be defined by
an equation of the form

(1) y 2 = − A(α2 − α1 )(α1 − α3 )x2 + B(β2 − β1 )(β1 − β3 )

· A(α3 − α2 )(α2 − α1 )x2 + B(β3 − β2 )(β2 − β1 )
2

· A(α1 − α3 )(α3 − α2 )x + B(β1 − β3 )(β3 − β2 ) ,
up to permutation of the roots βi , for well-defined nonzero constants A and B that
depend on αi and βi . We will denote the quadratic factors on the right hand side
of Equation 1 on the first, second and third line by H1 , H2 and H3 respectively,

such that C1 : y 2 = −H1 · H2 · H3 .
Proposition 5. With the notation above: if
H1 = L1 · L2 , H2 = L3 · L4 , H3 = L5 · L6 ,
with the Li all linear (except possibly for one constant Li in the case where H1 H2 H3
is quintic), then the good extensions of φ1 are the Richelot isogenies with kernels
corresponding to one of the following factorizations of H1 H2 H3 :
(L1 L3 , L2 L5 , L4 L6 ), (L1 L3 , L2 L6 , L4 L5 ),
(L1 L4 , L2 L5 , L3 L6 ), (L1 L4 , L2 L6 , L3 L5 ),
(L1 L5 , L2 L3 , L4 L6 ), (L1 L5 , L2 L4 , L3 L6 ),
(L1 L6 , L2 L3 , L4 L5 ), (L1 L6 , L2 L4 , L3 L5 ).
Proof. The proof of Equation 1 in [20] constructs the dual isogeny φ̂1 : JC1 →
E10 × E20 , where E10 ∼
= E1 and E20 ∼
= E2 . More specifically, E10 and E20 are given by
E10 : y 2 = − (A(α2 − α1 )(α1 − α3 )x + B(β2 − β1 )(β1 − β3 ))
· (A(α3 − α2 )(α2 − α1 )x + B(β3 − β2 )(β2 − β1 ))
· (A(α1 − α3 )(α3 − α2 )x + B(β1 − β3 )(β3 − β2 )) ,
E20 : y 2 = − (A(α2 − α1 )(α1 − α3 ) + B(β2 − β1 )(β1 − β3 )x)
· (A(α3 − α2 )(α2 − α1 ) + B(β3 − β2 )(β2 − β1 )x)
· (A(α1 − α3 )(α3 − α2 ) + B(β1 − β3 )(β3 − β2 )x) .
Hence the quadratic splitting {H1 , H2 , H3 } corresponds to the subgroup of JC1 [2]
which is the kernel of the dual φ̂1 and we can continue the proof just as in the
Richelot isogeny case.
6.4. Extensions of isogenies from Ep to Ep .
Proposition 6. Let φ1 : E1 × E2 → E10 × E20 be a (2, 2)-isogeny. Denote by OE1 ,
OE2 , OE10 , OE20 the identity elements of respectively E1 , E2 , E10 and E20 . For i =
1, 2, 3 we write Pi , Qi , Pi0 , Q0i for the Weierstraß points of respectively E1 , E2 , E10 , E20 .
If
ker(φ1 ) = {(OE1 , OE2 ), (P1 , OE2 ), (OE1 , Q1 ), (P1 , Q1 )},
and φ1 |E1 (P2 ) = φ1 |E1 (P3 ) = P10 , φ1 |E2 (Q2 ) = φ1 |E2 (Q3 ) = Q01 , then the good
extensions of φ1 are the isogenies with kernel one of the 4 combinations
{(OE10 , OE20 ), (Pi0 , OE20 ), (OE10 , Q0j ), (Pi0 , Q0j )},
where i 6= 1 and j 6= 1, or one of
{(OE10 , OE20 ), (P10 , Q02 ), (P20 , Q03 ), (P30 , Q01 )},
{(OE10 , OE20 ), (P10 , Q03 ), (P20 , Q01 ), (P30 , Q02 )},
{(OE10 , OE20 ), (P10 , Q02 ), (P20 , Q01 ), (P30 , Q03 )},
{(OE10 , OE20 ), (P10 , Q03 ), (P20 , Q02 ), (P30 , Q01 )}.
Proof. The good extensions are determined by the (2, 2)-isogenies that intersect
{(OE10 , OE20 ), (P10 , OE20 ), (OE10 , Q01 ), (P10 , Q01 )}
trivially, so the proof is immediate.
6.5. Connectedness.
Conjecture 3. For every two vertices A and A0 in Jp ⊂ Gp , there exists a path
φ0 φ1 φk−1
A = A0 −→ A1 −→ · · · −−−→ Ak = A0
of k edges, for some k ≥ 0, such that all of the Ai are in Jp and each φi , i 6= 0, is
a good extension of φi−1 . (The composed isogeny is then a (2k , 2k )-isogeny.)
Conjecture 3 is our strongest conjecture. It differs from Conjecture 2 in that at
each step in a path, the number of choices is reduced from all 15 isogenies to the
8 good isogenies. Conjecture 3 is easy to verify for small p using the formulas for
Richelot isogenies and the exact formula from Theorem 2. We verified this part of
the conjecture for p ≤ 1013 using Magma, but from then onward the computations
become slow since we work with graphs of several hundred thousands of vertices
already. Nonetheless, this is a first indication that Conjecture 3 might hold.
7. Hash functions from Richelot isogenies

Turning the graph Gp into a hash function happens analogously to the elliptic
curve case with some small caveats. We will first describe the function in general,
thereby repairing Takashima’s proposal from [33], and then explain the underlying
reasoning in detail afterwards. When reading this section, it can be helpful to keep
the Magma code in Appendix B at hand.
We start by choosing a large prime p (as a function of some security parameter λ)
such that p ≡ 5 mod 6. We start at the vertex corresponding to the jacobian of the
genus-2 curve C0 defined over Fp2 , given by the equation y 2 = x(x − 1)(x + 1)(x −
2)(x − 1/2). The hash function starts by taking a relatively small deterministic
walk away from C0 , which can be achieved through multiplication of the input by a
relatively small power of 8, or equivalently, padding its bit expansion with a bunch
of triple zeroes. This is done to distantiate us from the vertex corresponding to
the jacobian of our starting curve, since it is known to have many automorphisms,
resulting in small cycles in our graph which lead to collisions; see Section 7.3 for a
more elaborate discussion. In our pseudocode from Algorithm 1, as well as in our
proof-of-concept implementation in Appendix B, we padded with 30 zeroes for the
sake of exposition, but clearly this choice is somewhat random.
The hashing will happen 3 bits at a time, with each three bits determining a
choice of one of the eight good extensions relative to the previous step. So for our
starting vertex we will need to make an initial choice as if we performed a step prior
to starting. The quadratic splitting we will choose for C0 is

1
x2 − 1, x2 − 2x, x − .
2
The 8 quadratic splittings that we will consider are those that have no quadratic
factor in common with the one that was obtained from the previous step. These
splittings are then ordered according to some natural order of the roots. In practice
this means we just need to fix a quadratic equation that determines the field ex-
tension Fp ⊆ Fp2 . Next we process 3 bits (one base-8 digit) of our input, using it to
choose an edge according to the ordering of the quadratic splittings. If the chosen
edge leads to a vertex corresponding to the product of elliptic curves, the function
stops and outputs an error. If the chosen edge leads to a vertex corresponding to a
jacobian of a genus-2 curve, then we have 8 good extensions again, this time relative
to the previous step. We now repeat the process for the remainder of the message,
where each block of 3 bits corresponds to one choice of edge that takes us to a new
vertex in the graph. Once the entire message has been processed we output the
absolute Igusa invariants of the genus-2 curve corresponding to the final vertex.
Remark 2. We chose to abort the hashing as soon as a product of elliptic curves is
encountered in order not to get lost in technical details that apply with probability
O(1/p) and which detract us from the main construction. Note that 1/p is only
slightly larger than the probability of breaking the hash function using Pollard-ρ.
Nevertheless this is a nuisance, but as discussed in Section 7.2 below, there are
several tracks for getting around this.
7.1. Avoiding trivial cycles. A hash function should be collision-resistant, so we
need to at least avoid trivial cycles in our graph. In the elliptic curve case, this is
simply done by disallowing the edge associated to the dual isogeny from where we
just came. Similarly, we must avoid using dual isogenies when walking in Gp , to
avoid extremely easy cycles:
φ1
A0 A1
φ̂1
But there is an additional subtlety in genus-2, as noted in [18]. If we compose a

(2, 2)-isogeny A0 → A1 with a bad extension A1 → A2 , then we get a (4, 2, 2)-
isogeny; but then, for every (4, 2, 2)-isogeny A0 → A2 there are 3 distinct ways to
split it up into the concatenation of two (2, 2)-isogenies as in the following diagram.
A01
φ01 φ02
φ1 φ2
A0 A1 A2
φ00
1 φ00
2
A001
Luckily all these cases are easy to distinguish, as we saw in Section 6.

The eight (2, 2)-isogenies corresponding to good extensions do not result in trivial
cycles. In practice this means that, after a choice for our initial (2, 2)-isogeny
corresponding to one of 15 possible edges, we are left with only 8 options at every
next step along the way. This implies that we should not only keep track of our
current vertex by some form of equation, but also by some order of the roots of
that equation (or more precisely, by a quadratic splitting).
This observation means we can hash up to 3 bits at every step in our hash
function and that a hash will always correspond to computing a (2k , 2k )-isogeny.
7.2. Products of elliptic curves. For our hash function, the vertices correspond-
ing to products of elliptic curves are a nuisance for the following reasons.
• There is no clear candidate invariant that is similar to the ordered triple in
case of the genus-2 absolute Igusa invariants. So ideally, we would prefer
not to end the hash function in a vertex like this.
• The formulas involving products of elliptic curves are a lot more involved
than the Richelot isogenies, and their simplicity was one of the main reasons
for the restriction to (2, 2)-isogenies.
In the way we presented our hash function, we simply use Richelot isogenies only
and let our hash function break down whenever we pass a vertex corresponding to
a product of elliptic curves. Given that this only occurs with probability O(1/p),
this only happens with negligible probability for cryptographic values of p.
An alternative way of dealing with this is as follows. Assume we try to process
a step in our hash function that corresponds to a (2, 2)-isogeny between a jacobian
of a genus-2 curve and a product of elliptic curves. Then (in the same step) we
immediately choose one edge corresponding to a (2, 2)-isogeny from the product
of elliptic curves back to a jacobian of a genus-2 curve. This has to be done in
a deterministic way and we should avoid the dual and bad extensions since they
would result in small cycles in Gp . Unfortunately Proposition 4 tells us that we can
only find 2 good extensions that possibly have the jacobian of a genus-2 curve as
codomain. In the case of E × E, with E having j-invariant 0 or 1728, these kernels
may both be to a product of elliptic curves again. Solving this issue can be done
by either choosing p ≡ 1 mod 12 (such that elliptic curves with j-invariant 0 and
1728 never occur), or by (deterministically) using the results from Proposition 6 to
add an extra step in this specific case.
A third option is to keep working with all the formulas for products of elliptic
curves as well. This means we should find a way to merge the absolute Igusa
invariants and (unordered) pairs of j-invariants into one output type, which is only
an issue when ending in a product of elliptic curves.
7.3. Initial choices. As mentioned earlier, there is no known way to generate the
equation of a random superspecial genus-2 curve that is defined over Fp2 . Some
specific examples such as y 2 = x5 − x with p ≡ 5 or 7 mod 8 are listed in [22]. Un-
fortunately, the examples that are easiest to represent all have some (2, 2)-isogenies
with codomain the product of 2 supersingular elliptic curves. This seems to imply
that we cannot avoid having to deal with vertices corresponding to products of
elliptic curves.
However, another initial choice to make is whether we start by picking one of
15 possible edges or already restrict ourselves to 8, since this is needed for every
subsequent step anyway. We will take only 8 which means we need to choose an
initial quadratic splitting instead of just an initial curve.9 Fortunately this solves
our problem of finding an appropriate starting curve in a way. Consider C0 , the
genus-2 curve given by y 2 = x(x − 1)(x + 1)(x − 2)(x − 1/2) defined over Fp
with p > 5. Then C0 is superspecial if and only if p ≡ 5 mod 6 [22]. Now the
vertex corresponding to the jacobian of C0 has 4 neighbours that are products of
supersingular
2 elliptic curves. However, if we take the initial quadratic splitting
x − 1, x2 − 2x, x − 12 , then the 8 allowed outgoing (2, 2)-isogenies all have the
jacobian of a superspecial genus-2 curve as codomain. The only restriction this puts
on our hash function is that we need to work with a prime p such that p ≡ 5 mod 6,
but this is easy to enforce.
9We remark that in this case, Conjecture 3 is no longer strong enough to prove that we can
reach all vertices in Gp , since it relies on having all 15 initial (2, 2)-isogenies present. However,
there is no clear reason to assume that only allowing 8 out of 15 possible edges for our initial
choice all of a sudden would disallow us to reach certain vertices.
An issue that arises with this curve C0 however, is that its jacobian has many au-
tomorphisms and hence has multiple outgoing isogenies with the same codomain.10
More precisely, starting from the given splitting of C0 , the 8 good extensions only
have 3 distinct codomains up to isomorphism, one of which even occurs with mul-
tiplicity 5, which leads to trivial cycles in our graph. An easy way to fix this is
to simply take a (relatively short) deterministic path to another curve C00 prior to
starting to hash our input, or equivalently, pad the input with some zeroes from the
right. For other possible starting curves, this padding can be used to additionally
avoid products of elliptic curves. Of course, once such a path to C00 has been com-
puted, this curve can be hard-coded as the new starting curve, so that no padding
is needed when hashing subsequent inputs.
7.4. Security. The security of our hash function depends on the hardness of finding
isogenies between certain p.p. abelian surfaces. A lot of the choices discussed in the
previous subsections make slight alterations to the underlying mathematical hard
problems. We will formulate them in a general form to keep them succinct since
we do not think any of the changes would impact the hardness of the problems.
In essence they are the genus-1 counterparts of the hard problems from the elliptic
curve hash function in [8].
Problem 1. Given two superspecial genus-2 curves C1 and C2 defined over Fp2 ,
find a (2k , 2k )-isogeny between their jacobians.
Problem 2. Given any superspecial genus-2 curve C1 defined over Fp2 , find
(1) a curve C2 and a (2k , 2k )-isogeny JC1 → JC2 ,
0 0
(2) a curve C20 and a (2k , 2k )-isogeny JC1 → JC20 ,
such that C2 and C20 are Fp -isomorphic. Here, it is allowed that k = k 0 but in this
case the kernels should be different.
They are related to our hash function in the following way.
• Preimage resistance: Finding a preimage in our hash function implies a
solution to Problem 1 with C1 = C00 as follows. Let C2 be a representative
of the isomorphism class of the output of the hash function. A preimage for
that output corresponds to a path of length k in our graph, or equivalently,
a (2k , 2k )-isogeny between the jacobians of C00 and C2 .
• Collision resistance: Finding a collision in our hash function implies a
solution to Problem 1 with C1 = C00 as follows. A collision in our hash
function corresponds to two distinct paths in our graph with the same
ending vertex. Equivalently this amounts to a pair of isogenies
φ : JC00 → JC2 and φ0 : JC00 → JC20
0 0
of type (2k , 2k ) resp (2k , 2k ) such that C2 ∼
= C20 , and with different kernels.
To our knowledge, there are no known ways to find isogenies of the said kinds
between jacobians of (superspecial) genus-2 curves which perform better than the
10Remark that in the elliptic curve case the same thing happens with for example y 2 = x3 + x
with p ≡ 3 mod 4. The SIKE protocol has a similar issue with its starting curve and solves it by
simply forbidding one possible outgoing isogeny.
generic attacks.11 In the classical case the best known such attack is Pollard ρ,
which can find a collision or preimage in time complexity the square root of the
number of possibilities times the amount of time that one step computation takes.
In our case we have a graph of size O(p3 ) and one step is simply a polynomial
computation with some constants, which we can perform in time complexity log p.
Hence a Pollard ρ attack could find a solution to Problem 1 or Problem 2 in time
Õ(p3/2 ).
With quantum computers in mind, the best known attack is a claw-finding algo-
rithm to find a collision or preimage in the graph Gp . Grover search would yield a
square-root attack in O(p3/2 ). The algorithm of [35] would yield an attack with time
complexity the third root of the size of the graph we work over; this would imply
a solution to Problem 1 or Problem 2 in time Õ(p). However, Jaques and Schanck
have shown that the data structures required by this algorithm adds significantly
to its complexity, to the point where it does not in fact beat square-root algorithms
(which have much lower quantum memory requirements) [24]; this suggests that
Õ(p3/2 ) is (currently) the correct complexity estimate for our problems.
8. Implementation and timings

We have implemented our hash function in Magma, taking into account all the
choices made from the previous section. The pseudocode can be found below; the
Magma code can be found in Appendix B. The subroutine Factorization is defined
as follows: when the input is a quadratic polynomial, Factorization returns its
two linear factors (which, in this application, are guaranteed to exist over the ground
field). When the input is a linear polynomial, it returns that polynomial and 1.
Remark 3. We do not keep track of the leading coefficient of the polynomial
determining the genus-2 curve, for the reason that a twist of a curve does not
change its absolute Igusa invariants anyway. Similarly we never need to know the
exact value of δ = det(G1 , G2 , G3 ). We are only interested in whether or not δ
equals 0, and with the formulas from the preliminaries, this condition can be easily
verified to be equivalent to all Hi being a multiple of one another. Hence it suffices
to check if rank(H1 , H2 ) < 2 instead, i.e. if H1 is a nonzero multiple of H2 .
The deterministic edge ordering depends on two things. First, there is the (ar-
bitrary) way we hard-coded the set S of pairs of indices of the allowed quadratic
splittings. Secondly, the subroutine Factorization automatically orders the roots
of the polynomial in some way. In this statement we silently assumed that this
happens deterministically by the used software, which is the case for Magma.
Note that we do not claim this code is optimized in any way. For example we
simply pick the smallest prime p possible that satisfies our needs, whereas better
choices may speed up the arithmetic in the field we work over. Additionally, we did
not implement any proper padding schemes. The main goal of the implementation
is to see what the order of magnitude is for the speed of the hash function and we
leave possible optimizations for future work.
As a final remark we want to point out that the output of the hash function
is dependent on the security level required. The output is a triple in a quadratic
11The isogeny-path-computing algorithm described in the recent paper [9, §7] does not produce
preimages for our hash function: indeed, with overwhelming probability the resulting isogeny path
does not consist of good extensions, as is apparent from the proof of [9, Lem. 3].
Algorithm 1: Hashing a message m using Richelot isogenies, with λ bits of

security on a classical computer
Data: Message m and security parameter λ
Result: The hash of m using Richelot isogenies in a graph Gp , or ⊥ (failure)
1 S ← [({1, 3}, {2, 5}, {4, 6}), . . . , ({1, 6}, {2, 4}, {3, 5})]
d2λ/3e
2 p ← the smallest prime such that p > 2 and p ≡ 5 mod 6
3 (L1 , L2 , L3 , L4 , L5 , L6 ) ← (x − 1, x + 1, x, x − 2, x − 1/2, 1) ∈ Fp2 [x]
6
30
4 m←2 m
5 while m > 0 do
6 i ← m mod 8
7 m ← (m − i)/8
8 [G1 , G2 , G3 ] ← pairwise products of the Lj according to S[i]
9 (L1 , L2 ) ← Factorization(H1 ) where H1 := G02 G3 − G2 G03
11 if rank(H1 , H2 ) = 1 then
12 return ⊥ // We have hit a vertex in Ep
Q6
14 return invariants of genus-2 curve defined by the equation y 2 = j=1 Lj
field extension of a finite field of characteristic roughly 2λ/3 bits in case of classical
security. This means our output has bit length 4λ, even though the number of
possible hash values is only 2λ bits.12 It may be possible to compress this but we
leave this discussion for future research, too.
We implemented our genus-2 CGL hash function algorithm in Magma (version
2.32-2) and ran it on an Intel(R) Xeon(R) CPU E5-2630 v2 @ 2.60GHz with 128
GB memory. For every prime size we averaged the speed over 1000 random inputs
of 100 bits. A summary of our timed results can be found in the following table.
p ≈ 286 p ≈ 2128 p ≈ 2171 p ≈ 2256
bits of classical and quantum security 128 192 256 384
time per bit processed 5.01ms 6.52ms 9.33ms 15.70ms
output bits 516 768 1026 1536
9. Comparison to Charles–Goren–Lauter, and concluding remarks

The computational cost of each iteration of the main loop in Algorithm 1 is
dominated by the three square roots required to factor the Hi in Lines 9, 10,
and 13. At first glance, this would appear to give no advantage over the Charles–
Goren–Lauter hash function: we compute essentially one expensive square root per
bit of hash input. However, there are two important remarks to be made here:
(1) The entropy in the Charles–Goren–Lauter hash function is linear in p,
whereas in our case it is cubic in p. This implies that for the same security
parameters we can work over much smaller finite fields, so the square roots
are substantially easier to compute.
12In the elliptic curve case something completely analogous occurs: only about p/12 elements
from Fp2 are j-invariants corresponding to supersingular elliptic curves.
(2) The square roots, along with the Hi , can be computed completely indepen-
dently. The algorithm therefore lends itself well to three-way parallelization,
as well as to vectorization techniques on suitable computer architectures.
From this point of view, our proposal is a conjecturally secure version of an
ill-constructed hash function that we could call 3CGL, where the message m is
split up in 3 chunks m1 , m2 , m3 . Each of these mi is then hashed using Charles,
Goren and Lauter’s hash function into a supersingular j-invariant ji , resulting in a
combined hash value (j1 , j2 , j3 ) ∈ Fp2 . Note that, here too, the number of possible
outcomes is O(p3 ). However, the security of 3CGL clearly reduces to the problem
of finding collisions or pre-images for one of the chunks, which Pollard ρ can do in
time Õ(p1/2 ), compared to Õ(p3/2 ) in our case.
While this convinces us that genus-2 hash functions deserve their place in the
arena of isogeny-based cryptography, more research is needed to have a better
assessment of their security and performance. One potentially interesting track
is to adapt Doliskani, Pereira and Barreto’s recent speed-up to Charles, Goren
and Lauter’s hash function from [16], which has the appearance of an orthogonal
improvement that may also apply to genus 2. From a security point of view, it
would be interesting to understand to what extent the discussion from [27, 17],
transferring the elliptic curve analogs of Problems 1 and 2 to questions about orders
in non-commutative algebras and raising some concerns about using special starting
curves, carries over to genus 2.
Acknowledgements. We are grateful to Yan Bo Ti for sharing with us a prelimi-

nary copy of [18], to Frederik Vercauteren for helpful feedback, and to Ben Moonen
for sharing the argument in Appendix C. We would also like to thank the anony-
mous reviewers of NutMiC 2019. This work was supported in part by the Research
Council KU Leuven grants C14/18/067 and STG/17/019 and by CyberSecurity
Research Flanders with reference number VR20192203.
References
[1] Reza Azarderakhsh, Brian Koziel, Matt Campagna, Brian LaMacchia, Craig Costello, Patrick
Longa, Luca De Feo, Michael Naehrig, Basil Hess, Joost Renes, Amir Jalali, Vladimir
Soukharev, David Jao, and David Urbanik. Supersingular isogeny key encapsulation. http:
//sike.org, 2017.
[2] Ward Beullens, Thorsten Kleinjung, and Frederik Vercauteren. CSI-FiSh: Efficient isogeny
based signatures through class group computations. In Steven D. Galbraith and Shiho Moriai,
editors, Advances in Cryptology – ASIACRYPT 2019, pages 227–247, Cham, 2019. Springer
International Publishing.
[3] Bradley W Brock. Superspecial curves of genera two and three. PhD thesis, Princeton Uni-
versity, 1994.
[4] Nils Bruin and Kevin Doerksen. The arithmetic of genus two curves with (4, 4)-split Jaco-
bians. Canadian Journal of Mathematics, 63(5):992–1024, 2011.
[5] Gabriel Cardona and Jordi Quer. Field of moduli and field of definition for curves of genus 2.
In Computational aspects of algebraic curves, pages 71–83. World Scientific, 2005.
[6] Wouter Castryck, Tanja Lange, Chloe Martindale, Lorenz Panny, and Joost Renes. CSIDH:
An efficient post-quantum commutative group action. In Thomas Peyrin and Steven Gal-
braith, editors, Advances in Cryptology – ASIACRYPT 2018, Part III, pages 395–427.
Springer International Publishing, 2018.
[7] Denis X. Charles, Eyal Z. Goren, and Kristin E. Lauter. Families of Ramanujan graphs and
quaternion algebras. Groups and symmetries: from Neolithic Scots to John McKay, 47:53–63,
2009.
[8] Denis X. Charles, Kristin E. Lauter, and Eyal Z. Goren. Cryptographic hash functions from
expander graphs. Journal of Cryptology, 22(1):93–113, 2009.
[9] Craig Costello and Benjamin Smith. The supersingular isogeny problem in genus 2 and be-
yond. In Jintai Ding and Jean-Pierre Tillich, editors, PQCrypto 2020. Springer International
Publishing, 2020.
[10] Jean-Marc Couveignes. Hard homogeneous spaces. Cryptology ePrint Archive, Report
2006/291, 2006.
[11] Luca De Feo and Steven D. Galbraith. SeaSign: Compact isogeny signatures from class group
actions. In Yuval Ishai and Vincent Rijmen, editors, Advances in Cryptology – EUROCRYPT
2019, pages 759–789. Springer International Publishing, 2019.
[12] Luca De Feo, David Jao, and Jérôme Plût. Towards quantum-resistant cryptosystems from su-
persingular elliptic curve isogenies. Journal of Mathematical Cryptology, 8(3):209–247, 2014.
[13] Luca De Feo, Jean Kieffer, and Benjamin Smith. Towards practical key exchange from ordi-
nary isogeny graphs. In Thomas Peyrin and Steven Galbraith, editors, Advances in Cryptology
– ASIACRYPT 2018, Part III, pages 365–394. Springer International Publishing, 2018.
[14] Luca De Feo, Simon Masson, Christophe Petit, and Antonio Sanso. Verifiable delay func-
tions from supersingular isogenies and pairings. In Steven D. Galbraith and Shiho Moriai,
editors, Advances in Cryptology – ASIACRYPT 2019, pages 248–277, Cham, 2019. Springer
International Publishing.
[15] Thomas Decru, Lorenz Panny, and Frederik Vercauteren. Faster SeaSign signatures through
improved rejection sampling. In Jintai Ding and Rainer Steinwandt, editors, Post-Quantum
Cryptography, pages 271–285. Springer International Publishing, 2019.
[16] Javad Doliskani, Geovandro C. Pereira, and Paulo S. Barreto. Faster cryptographic hash
function from supersingular isogeny graphs. Cryptology ePrint Archive, Report 2017/1202,
2017.
[17] Kirsten Eisenträger, Sean Hallgren, Kristin Lauter, Travis Morrison, and Christophe Petit.
Supersingular isogeny graphs and endomorphism rings: reductions and solutions. In Jes-
per Buus Nielsen and Vincent Rijmen, editors, Advances in cryptology—EUROCRYPT 2018.
Part III, pages 329–368. Springer International Publishing, 2018.
[18] E. V. Flynn and Yan Bo Ti. Genus two isogeny cryptography. In Jintai Ding and Rainer Stein-
wandt, editors, Post-Quantum Cryptography, pages 286–306. Springer International Publish-
ing, 2019.
[19] Everett W. Howe. Constructing distinct curves with isomorphic Jacobians. J. Number Theory,
56:381–390, 1996.
[20] Everett W. Howe, Franck Leprévost, and Bjorn Poonen. Large torsion subgroups of split
Jacobians of curves of genus two or three. In Forum Mathematicum, volume 12.3, pages
315–364. Berlin; New York: De Gruyter, c1989-, 2000.
[21] Tomoyoshi Ibukiyama and Toshiyuki Katsura. On the field of definition of superspecial po-
larized abelian varieties and type numbers. Compositio Mathematica, 91(1):37–46, 1994.
[22] Tomoyoshi Ibukiyama, Toshiyuki Katsura, and Frans Oort. Supersingular curves of genus
two and class numbers. Compositio Mathematica, 57(2):127–152, 1986.
[23] David Jao and Luca De Feo. Towards quantum-resistant cryptosystems from supersingular
elliptic curve isogenies. In International Workshop on Post-Quantum Cryptography, pages
19–34. Springer, 2011.
[24] Samuel Jaques and John M. Schanck. Quantum cryptanalysis in the RAM model: Claw-
finding attacks on SIKE. In Alexandra Boldyreva and Daniele Micciancio, editors, Advances
in Cryptology – CRYPTO 2019, pages 32–61, Cham, 2019. Springer International Publishing.
[25] Ernst Kani. The number of curves of genus two with elliptic differentials. Journal für die
reine und angewandte Mathematik, 485:93–122, 1997.
[26] Toshiyuki Katsura and Katsuyuki Takashima. Counting superspecial Richelot isogenies and
its cryptographic application. Cornell University arXiv, Report 2003.00633, 2020.
[27] David Kohel, Kristin Lauter, Christophe Petit, and Jean-Pierre Tignol. On the quaternion
`-isogeny path problem. LMS J. Comput. Math., 17(suppl. A):418–432, 2014.
[28] Ke-Zheng Li and Frans Oort. Moduli of supersingular abelian varieties, volume 1680 of Lecture
Notes in Mathematics. Springer-Verlag, Berlin, 1998.
[29] Arnold K. Pizer. Ramanujan graphs and Hecke operators. Bull. Am. Math. Soc., 23(1), 1990.
[30] Joseph H Silverman. The arithmetic of elliptic curves, volume 106. Springer Science & Busi-
ness Media, 2009.
[31] Benjamin Smith. Explicit endomorphisms and correspondences. PhD thesis, University of
Sydney, 2005.
[32] Anton Stolbunov. Public-key encryption based on cycles of isogenous elliptic curves. Master’s
thesis, Saint-Petersburg State Polytechnical University, 2004. In Russian.
[33] Katsuyuki Takashima. Efficient algorithms for isogeny sequences and their cryptographic
applications. In T. Takagi et al., editor, Mathematical Modelling for Next-Generation Cryp-
tography. Mathematics for Industry, volume 29, pages 97–114, Singapore, 2018. Springer.
[34] Katsuyuki Takashima and Reo Yoshida. An algorithm for computing a sequence of Richelot
isogenies. Bull. Korean Math. Soc, 46(4):789–802, 2009.
[35] Seiichiro Tani. Claw finding algorithms using quantum walk. Theoretical Computer Science,
410(50):5285–5297, 2009.
Appendix A. Proof of Theorem 1

We now settle Part (1) of Theorem 1, as an immediate consequence to:
Theorem 2. Let C be a genus-2 curve over a field K of characteristic different
from 2 and 5. Then the number of outgoing (2, 2)-isogenies with codomain a product
of elliptic curves is at most 6.
assume that K is algebraically closed, so that C admits a model of
Proof. We can Q
6
the form y 2 = i=1 (x − αi ) for roots αi ∈ K satisfying
Y
(αi − αj ) = 1.
1≤i<j≤6
Due to the formulas for Richelot isogenies, the number of (2, 2)-isogenies with
codomain a product of elliptic curves is determined by how many among the 15
different equations of the form
 
1 ασ(1) + ασ(2) ασ(1) ασ(2)
(2) det 1 ασ(3) + ασ(4) ασ(3) ασ(4)  = 0 ,

1 ασ(5) + ασ(6) ασ(5) ασ(6)
where σ is a permutation of {1, 2, 3, 4, 5, 6}, can be simultaneously satisfied.
To show that no more than 6 can occur we work with Gröbner bases. The permu-
tations of Equation (2) determine, up to sign, 15 different polynomials f1 , . . . , f15
in F[α1 , . . . , α6 ], where F is the prime subfield of K. We pick a subset of 7 of these
equations and form the Q ideal I ⊂ F[α1 , . . . , α6 ] generated by them, together with
the polynomial ρ = i,j (αi − αj ) − 1. Now we determine a Gröbner basis G for
I. If G = {1} then the variety defined by I is empty and hence those 7 equations
we chose can not be satisfied simultaneously, under the assumption that all αi are
different. If we repeat this process for all possible subsets of 7 equations and find
G = {1} in all cases, then we are done. There are 15 7 = 6435 possible ways of
selecting such a subset, but this is not a problem for Magma.13
When running the algorithm we choose F = Q, for which we indeed find G =
{1} in each of the cases. This only shows that there are no solutions if K is of
characteristic 0, while we typically want to work over a fields of prime characteristic.
If the Gröbner basis G equals {1} however, we can write 1 as linear combination of
that particular choice of polynomials fi , say for example 1 = h1 f1 +. . .+h7 f7 +h8 ρ.
If we then multiply both sides of the equations by the lowest common multiple m
of the denominators of the coefficients of the hi , then we obtain an equation with
13Remark that by using the symmetry in the variables, it is possible to reduce the number of
case distinctions needed, but we see no need to optimize this since it is a one time computation.
Figure 2. Magma code completing the proof of Theorem 1

Q<a1,a2,a3,a4,a5,a6> := PolynomialRing(Rationals(),6);
S := {1,2,3,4,5,6};
I := {};
for sub1 in Subsets(S,2) do

subseq1 := SetToSequence(sub1);
for sub2 in Subsets(S diff sub1, 2) do
subseq2 := SetToSequence(sub2);
subseq3 := SetToSequence(S diff (sub1 join sub2));
M := Matrix(Q,3,3,
[ 1, Q.subseq1[1] + Q.subseq1[2], Q.subseq1[1]*Q.subseq1[2],
1, Q.subseq2[1] + Q.subseq2[2], Q.subseq2[1]*Q.subseq2[2],
1, Q.subseq3[1] + Q.subseq3[2], Q.subseq3[1]*Q.subseq3[2] ] );
eqn := Determinant(M);
if -eqn notin I then
I join:= {Determinant(M)};
end if;
end for;
end for;
disc := Q ! 1;
for sub in Subsets(S,2) do
subseq := SetToSequence(sub);
disc *:= Q.subseq[1] - Q.subseq[2];
end for;
groebnerboolean := true;
badprimes := {};
for j in Subsets(I,7) do
J := {disc-1};
J join:= j;
if GroebnerBasis(Ideal(J)) ne [1] then groebnerboolean := false; end if;
J := IdealWithFixedBasis(SetToSequence(J));
c := Coordinates(J, Q ! 1);
for coord in c do
for coeff in Coefficients(coord) do
badprimes join:= SequenceToSet(PrimeDivisors(Denominator(coeff)));
end for;
end for;
end for;
print groebnerboolean; badprimes;
coefficients in Z[α1 , . . . , α6 ]. So as long as the characteristic p of K does not divide

m, we still find a contradictory system. Hence it suffices to keep track of the primes
that divide m, which are 2, 3, 5, 7 and 11. It then suffices to rerun the Gröbner basis
computations for F = Fp with p = 3, 7, 11, leading to the desired conclusion.
Figure 2 lists the Magma code that was used. The specific cases p ∈ {3, 7, 11}
can be checked by replacing Rationals() by GF(p) for any one value of p, and by
removing the innermost loop that starts with for coord in c do completely.
Theorem 2 cannot be proved in this way for p = 2, because equations for hyper-
elliptic curves are more complicated in characteristic 2. Nevertheless, Theorem 1
is vacuously true for superspecial genus-2 Jacobians when p = 2, because there are
no superspecial genus-2 jacobians over fields of characteristic 2.
The following example shows why Theorem 1 is not true for p = 5, and also
provides an example to show that the bound of 6 is sharp.
Example 1. Let C be the genus-2 curve given by y 2 = x5 − x over Fp (which is
superspecial when p ≡ 5 mod 8), and let i ∈ Fp2 be a square root of −1. Of the
fifteen quadrating splittings of x5 − x, the six splittings
{x, x2 − (i + 1)x + i, x2 + (i + 1)x + i} , {x, x2 + (i − 1)x − i, x2 − (i − 1)x − i}
{x − 1, x2 + 1, x2 + x} , {x + 1, x2 + 1, x2 − x} ,
{x − i, x2 − 1, x2 + ix} , {x + i, x2 − 1, x2 − ix}
all have δ = 0, so they are always singular. The quadratic splitting {x, x2 +1, x2 −1}
has δ = ±2 (the sign of δ may change with the order of the factors), and so is never
singular. There are eight splittings remaining. The four splittings
{x − 1, x2 − ix, x2 + (i + 1)x + i} , {x − i, x2 + x, x2 + (i − 1)x − i} ,
2 2
{x + 1, x + ix, x − (i + 1)x + i} , {x + i, x2 − x, x2 − (i − 1)x − i}
all have δ = ±(3i + 1), while their “conjugates”, the four splittings
{x − 1, x2 + ix, x2 − (i − 1)x − i} , {x + i, x2 + x, x2 − (i + 1)x + i} ,
2 2
{x + 1, x − ix, x + (i − 1)x − i} , {x − i, x2 − x, x2 + (i + 1)x + i}
have δ = ±(3i − 1).
Now, when p = 5, we may take i = 2 or i = 3. If i = 2 then 3i − 1 = 0, so
the last set of four become singular (and the penultimate set of four have δ = ±2),
while if i = 3 then 3i + 1 = 0, so the penultimate set of four become singular (and
then the last set of four have δ = ±2). In either case, for p = 5 we have exactly four
additional singular splittings, making ten in total; and we cannot have i = 2 or 3
in any other characteristic, so if p 6= 5 then there are only six singular splittings.
Appendix B. The hash function

Figure 3 lists Magma code implementing our hash function, with the specific
parameter choices described in this article.
Appendix C. Invariance of the rank of the Hasse–Witt matrix

Fix g ≥ 2 and let V be the set of isomorphism classes of supersingular g-
dimensional p.p. abelian varieties over Fp . This appendix discusses an obstruction
to the connectedness of any graph whose vertex set is V and whose edges represent
separable isogenies.
Proposition 7. Let A, B be g-dimensional abelian varieties over Fp and assume
that there exists a separable isogeny ϕ : A → B. Then the rank of pth power Frobe-
nius acting on H 1 (A, OA ) equals that of pth power Frobenius acting on H 1 (B, OB ).
As a consequence, Pizer’s result [29] that the `-isogeny graph of all supersingular
elliptic curves over Fp is connected (for any prime number ` 6= p) cannot be trans-
ferred to supersingular p.p. abelian varieties of higher dimension. Of course, in view
of Conjecture 1 we hope that it does generalize when restricting to the superspecial
subgraph. The proof of Proposition 7 was explained to us by Ben Moonen; we refer
to the book by Li and Oort [28] for more background on the terminology it invokes.
Figure 3. Magma code for the genus-2 superspecial hash function

function prime(lambda)
p:= 2^Ceiling(lambda*2/3);
repeat p := NextPrime(p); until p mod 6 eq 5;
return p;
end function;
function fac(pol)
r := [ rt[1] : rt in Factorization(pol)];
if #r eq 1 then Append(~r,1); end if;
return r;
end function;
function G2CGLhash(lambda, message)

splits := [
[{1,3},{2,5},{4,6}], [{1,3},{2,6},{4,5}],
[{1,4},{2,5},{3,6}], [{1,4},{2,6},{3,5}],
[{1,5},{2,3},{4,6}], [{1,5},{2,4},{3,6}],
[{1,6},{2,3},{4,5}], [{1,6},{2,4},{3,5}]
];
p := prime(lambda);
R<x> := PolynomialRing(GF(p^2));
factors := [x-1, x+1, x, x-2, x-1/2, 1];
message := message*2^30;
mbase8 := IntegerToSequence(message, 8); // base-8 digits of message
for i := 1 to #mbase8 do
split := splits[mbase8[i]+1];
G1 := &*[ factors[j] : j in split[1]];
h1 := Derivative(G2)*G3 - G2*Derivative(G3); r1 := fac(h1);
if Rank(Matrix([ [Coefficient(h1,j) : j in [0..2]],
[Coefficient(h2,j) : j in [0..2]] ])) eq 1 then
// isogeny codomain is a product of elliptic curves
print "No hash for this value possible."; return;
end if;
factors := r1 cat r2 cat r3;
end for;
return G2Invariants(HyperellipticCurve(&*factors));
end function;
Proof. Write σ : Fp → Fp for pth power Frobenius. Denote by M = HdR1

(A/Fp ) the
(contravariant) Dieudonné module of the group scheme A[p], which comes equipped
with a σ-linear Frobenius operator F : M → M for which we have
M/ ker(F) ∼
= H 1 (A, OA )
as vector spaces equipped with Frobenius. Thus the rank of Frobenius acting on
H 1 (A, OA ) is given by
dimFp ( (im(F) + ker(F)) / ker(F)) = dimFp (im(F) / im(F) ∩ ker(F) )
= g − dimFp (im(F) ∩ ker(F))
where g = dim(A) = dimFp (im(F)). The quantity dimFp (im(F) ∩ ker(F)) is in
fact known as the a-number of A.
Now the group scheme A[p] admits the decomposition
A[p] = A[p]loc,ét ⊕ A[p]loc,loc ⊕ A[p]ét,loc
which corresponds to a decomposition of Dieudonné modules
M = Mloc,ét ⊕ Mloc,loc ⊕ Mét,loc
and it holds that im(F)∩ker(F) is zero on the summands Mloc,ét and Mét,loc , where
F is zero resp. bijective. But if ϕ : A → B is a separable isogeny then ker(ϕ) is an
étale group scheme, yielding an isomorphism
∼ B[p]loc,loc .
A[p]loc,loc =
It follows that the a-numbers of A and B are the same, and as a consequence
that the rank of Frobenius on H 1 (A, OA ) is equal to the rank of Frobenius on
H 1 (B, OB ), as wanted.
Section of Algebra, Department of Mathematics, KU Leuven

E-mail address: wouter.castryck@esat.kuleuven.be
imec-COSIC, Department of Electrical Engineering, KU Leuven

E-mail address: thomas.decru@esat.kuleuven.be
Inria and École Polytechnique, Institut Polytechnique de Paris, Palaiseau, France

E-mail address: smith@lix.polytechnique.fr
118 SUPERSPECIAL (2,2)-HASH FUNCTIONS
Chapter 8
CSURF
Of puns it has been said that

those who most dislike them are
those who are least able to utter
them.
Edgar Allan Poe
Publication data
Wouter Castryck and Thomas Decru (2020). CSIDH on the Surface. In Post-
Quantum Cryptography - 11th International Conference, PQCrypto 2020, Paris,
France, April 15-17, 2020, Proceedings (pp. 111–129). Springer.
Own contribution
My main contributions are some of the mathematical results such as the proof
of Proposition 2, the algorithmic and implementational part, as well as writing
several sections of the article.
119
CSIDH on the surface
Wouter Castryck and Thomas Decru
Cosic and Imec, Department of Electrical Engineering, KU Leuven

wouter.castryck@esat.kuleuven.be, thomas.decru@esat.kuleuven.be
Abstract. For primes p ≡ 3 mod 4, we show that setting up CSIDH on

the surface, i.e., using supersingular elliptic curves with endomorphism
√
ring Z[(1 + −p)/2], amounts to just a few sign switches in the under-
lying arithmetic. If p ≡ 7 mod 8 then horizontal 2-isogenies can be used
to help compute the class group action. The formulas we derive for these
2-isogenies are very efficient (they basically amount to a single expo-
nentiation in Fp ) and allow for a noticeable speed-up, e.g., our resulting
CSURF-512 protocol runs about 5.68% faster than CSIDH-512. This im-
provement is completely orthogonal to all previous speed-ups, constant-
time measures and construction of cryptographic primitives that have
appeared in the literature so far. At the same time, moving to the sur-
face gets rid of the redundant factor Z3 of the acting ideal-class group,
which is present in the case of CSIDH and offers no extra security.
Keywords: isogeny-based cryptography, hard homogeneous spaces, CSIDH,

Montgomery curves
1 Introduction
A hard homogeneous space [10] is an efficiently computable free and transitive

action ? : G × S → S of a finite commutative group G on a set S, for which
the parallelization problem is hard: given s0 , s1 , s2 ∈ S, it should be infeasible
to find g1 g2 ? s0 , where g1 , g2 ∈ G are such that s1 = g1 ? s0 and s2 = g2 ? s0 .
This generalizes the notion of a cyclic group C in which the Diffie–Hellman
problem is hard, as can be seen by considering the set S of generators of C,
acted upon by G = (Z|C| )× through exponentiation. The main appeal of hard
homogeneous spaces lies in their potential for post-quantum cryptography: while
exponentiation-based Diffie–Hellman succumbs to Shor’s polynomial-time quan-
tum algorithm [22], in this more general setting the best attack available is
Kuperberg’s subexponential-time algorithm for finding hidden shifts [16]. This
line of research has led to a number of efficient post-quantum cryptographic
primitives, such as non-interactive key exchange [7] and digital signatures [4],
which stand out in terms of bandwidth requirements, and verifiable delay func-
tions [11].
Unfortunately, we only know of one source of candidate hard homogeneous
spaces that are not based on exponentiation. They descend from CM theory,
which yields a family of isogeny-wise actions by ideal-class groups on sets of
elliptic curves over finite fields, whose use in cryptography was proposed inde-
pendently by Couveignes [10] and Rostovtsev–Stolbunov [20,23,24]. The current
paper revisits CSIDH [7], which is an incarnation of this idea, using supersingu-
lar elliptic curves rather than ordinary elliptic curves (as originally suggested),
thereby speeding up the resulting protocols by several orders of magnitude.
Concretely, we focus on the following design choice of CSIDH: as put forward
in [7], it works over a large finite prime field Fp with p ≡ 3 mod 8, and it acts
√
by G = C`(Z[ −p]) on the set S of Fp -isomorphism classes of elliptic curves
√
with endomorphism ring Z[ −p] — such curves are said to live on the floor.
The motivation for this choice comes from [7, Prop. 8], which identifies S with
Sp+ = { a ∈ Fp | y 2 = x3 + ax2 + x is supersingular },
i.e., every curve on the floor has a unique representative in Montgomery form
and, conversely, every supersingular Montgomery curve over Fp has endomor-
√
phism ring Z[ −p]. This convenient fact allows for compact and easily verifiable
public keys. Furthermore 0 ∈ Sp+ makes for a natural choice of s0 .
Contributions
The main contributions of this paper are as follows.
(a) One of our main observations is that for p ≡ 7 mod 8, a very similar state-
ment applies to the surface, consisting of Fp -isomorphism classes of elliptic
√
curves with endomorphism ring Z[(1 + −p)/2]. Concretely, we show that
this set can be identified with
Sp− = { A ∈ Fp | y 2 = x3 + Ax2 − x is supersingular }, (1)
which again contains 0 as a convenient instance of s0 . The tweaked Mont-
gomery form y 2 = x3 + Ax2 − x does not seem to have been studied before.
From the viewpoint of efficient arithmetic, it is equivalent with the standard
Montgomery form: we will show that the required adaptations to the Mont-
gomery ladder and to Vélu’s isogeny formulae (in the version of Renes [19])
just amount to a few sign flips, with the exception of 2-isogenies, which re-
quire a separate treatment. Therefore, the protocols built from the action of
√
C`(Z[(1 + −p)/2]) on Sp− are near-copies of√those built from CSIDH.1
(b) If p ≡ 7 mod 8 then the prime 2 splits in Q( −p), which allows for the use
of horizontal 2-isogenies. We show that computing 2-isogenies is an order
of magnitude faster than computing `-isogenies for odd `. The cost of a
2-isogeny is dominated by a single exponentiation over Fp , leading to a
noticeable speed-up (e.g., our CSURF-512 protocol below performs about
5.68% faster than CSIDH-512). We stress that this improvement is totally
orthogonal to all previous speed-ups, constant-time measures (see e.g. [9,15])
and cryptographic applications (see e.g. [7,4,11]) that have appeared in the
literature so far.
1
Moreover, if p ≡ 3 mod 4 then x3 + Ax2 − x is automatically square-free, allowing
for a marginally simpler key validation. But this deserves a footnote, at most.
2
We note along the way that, by working on the surface, we naturally get rid
√
of the factor Z3 that is present in C`(Z[ −p]) when p ≡ 3 mod 8. Because of
the interplay between floor and surface, this factor does not give extra security
(see Remark 2). Furthermore, it provides a possible hindrance for isogeny-based
threshold schemes: when using more than two parties one must map the prob-
√
lem into C`(Z[ −p])3 , which comes at a small cost if the group structure is
unknown [12].
Apart from these benefits, given the limited pool of hard homogeneous spaces
available, having the complete supersingular picture at our disposal adds freedom
to the parameter selection and leads to a better understanding of the interplay
between floor and surface. This being said, primes p ≡ 1 mod 4 are omitted from
our discussion, the main reason being Lemma 1 below: for such p, supersingular
elliptic curves over Fp never admit a model of the form y 2 = x3 + Ax2 ± x. This
complicates comparison with [7]. It is possible that other elliptic curve models
can fill this gap, but we leave that for future research.
Acknowledgments
A partial proof of Theorem 3 below can be found in Berre Baelen’s master

thesis [1], which was the direct inspiration for this research. We thank Luca De
Feo for pointing out the relevance to isogeny-based threshold schemes [12], and
Frederik Vercauteren for helpful feedback regarding the proof of Lemma 4. We
also note that independent and near-simultaneous work by Fan, Tian, Li and
Xu [14] largely overlaps with the material in Section 3. This work was supported
in part by the Research Council KU Leuven grants C14/18/067 and STG/17/019
and by CyberSecurity Research Flanders with reference number VR20192203.
2 Background, and formulation of our main theorem
Consider a prime number p > 3 and a supersingular elliptic curve E/Fp . Its
√
Frobenius endomorphism πE satisfies πE ◦ πE = −p, hence Z[ −p] can be
viewed as a subring of the ring Endp (E) of Fp -rational endomorphisms of E. If
√
p ≡ 1 mod 4 then this leaves us with one option for Endp (E), namely Z[ −p]
itself. If p ≡ 3 mod 4, which is our main case of interest, then we are left with
√ √
two options for Endp (E), namely Z[ −p] and Z[(1 + −p)/2].
For each such option O, we let E``p (O) denote the set of Fp -isomorphism
classes of elliptic curves E/Fp for which Endp (E) ∼ = O. If p ≡ 3 mod 4 then
√ √
E``p (Z[ −p]) is called the floor, whereas E``p (Z[(1 + −p)/2]) is called the
surface; this terminology stems from the structure of the 2-isogeny graph of
supersingular elliptic curves over Fp , see Delfs–Galbraith [13].
Remark 1. If p ≡ 3 mod 4 then it is easy to decide whether a given supersingular
elliptic curve E/Fp is located on the floor or on the surface: in the former case
|E(Fp )[2]| = 2 while in the latter case |E(Fp )[2]| = 4. If p ≡ 3 mod 8 then
the 3 outgoing 2-isogenies from a curve on the surface all go down, that is,
3
the codomain curves all live on the floor. If p ≡ 7 mod 8 then only one of the
codomain curves is located on the floor.
−
Recall that Sp− denotes the set of all coefficients A ∈ Fp such that EA : y2 =
x3 + Ax2 − x is a supersingular elliptic curve. The elements of Sp− will be called
Montgomery− coefficients and the corresponding elliptic curves Montgomery−
curves. As we will see below, such curves are always located on the surface.
Mutatis mutandis, the set Sp+ contains the Montgomery+ coefficients a ∈ Fp \
{±2} such that the Montgomery+ curve Ea+ : y 2 = x3 + ax2 + x is supersingular.
If p ≡ 3 mod 8 then such curves are necessarily located on the floor. However,
+
this is not true if p ≡ 7 mod 8, in which case we will occasionally write Sp,O to
denote the subset of Sp+ corresponding to curves with endomorphism ring O.
To every E ∈ E``p (O) and every a ⊆ O we can associate the subgroup
\
E[a] = { P ∈ E | φ(P ) = ∞ } ⊆ E,
φ∈a
where, of course, φ should be viewed as an endomorphism of E through the

√
isomorphism Endp (E) ∼= O identifying πE with −p. We then have:
Theorem 1. The map ρ : C`(O) × E``p (O) → E``p (O) sending ([a], E) to a ?
E := E/E[a] is a well-defined free and transitive group action.
Proof. See [21, Thm. 4.5] and its proof.

Here C`(O) denotes the ideal-class group of O, and [a] denotes the class of an
invertible ideal a ⊆ O.
The assumption underlying CSIDH is that this is a hard homogeneous space,
as soon as p is large enough. From a constructive point of view, the following
version of Theorem 1, obtained by incorporating [7, Prop. 8] and Vélu’s isogeny
formulas (in the version of [19, Prop. 1]), forms its backbone.
√
Theorem 2. If p ≡ 3 mod 8 then the map ρ+ : C`(Z[ −p])×Sp+ → Sp+ sending
([a], a) to
 
 X 1

 Y
[a] ? a := 
a − 3 x(P ) − · x(P )
+
x(P )  +
P ∈Ea [a] P ∈Ea [a]
P 6=∞ P 6=∞
is a well-defined free and transitive group action. Here we assume (0, 0) ∈ / Ea+ [a].
+ √
The assumption (0, 0) ∈ / Ea [a] is not a restriction since C`(Z[ −p]) is generated
by ideals of odd norm, and by design CSIDH acts by such ideals only.2
Our main theoretical tool is the following variant of Theorem 2, on which
our CSURF-512 protocol from Section 6 relies:
2 √
It has been pointed out, e.g. in [17,8], that allowing for the action of (4, −p − 1)
could lead to a minor improvement. See also Remark 2.
4
Theorem 3. If p ≡ 3 mod 4 then the maps
√
C`(Z[ −p]) × Sp− → Sp− if p ≡ 3 mod 8,
ρ− : √
C`(Z[(1 + −p)/2]) × Sp− → Sp− if p ≡ 7 mod 8
sending ([a], A) to
 
 X  Y
 1 
[a] ? A := A − 3 x(P ) + · x(P )
 −
x(P )  −
P ∈EA [a] P ∈EA [a]
P 6=∞ P 6=∞
are well-defined free and transitive group actions. Here, we assume that the ideal
a representing [a] has odd norm.
We again note that the class group is generated by ideals of odd norm. However,
√
if p ≡ 7 mod 8 then C`(Z[(1 + −p)/2]) also admits invertible ideals of norm 2,
which can be used to speed up the evaluation of ρ− significantly. These require
a separate treatment, which is outlined in Section 4.
Apart from a striking analogy with Theorem 2, the reader might notice that
Theorem 3 is in seeming conflict with Theorem 1 when p ≡ 3 mod 8. Indeed,
− √
since the curves EA always have endomorphism ring Z[(1 + −p)/2], it seems
that ρ− is acting by the wrong class group! However, in Section 3 we will see that
every curve on the surface has three representants in Sp− , and at the same time
√ √
|C`(Z[ −p])| = 3|C`(Z[(1 + −p)/2]|. It turns out that, somewhat surprisingly,
Vélu’s formulas consistently link both factors 3 to each other.
We note that Theorem 2 can be extended to cover p ≡ 7 mod 8 as well, by
√
merely adding a subscript Z[ −p] to Sp+ . But for such p there is also a surface
version of Theorem 2, which is more subtle and will be discussed in Section 5.
Further notation and terminology

The identity element of an elliptic curve E will be denoted by ∞ and context
will make it clear to which curve it belongs. An important
√ convention is that
if p ≡ 3 mod 4, then for a a square in Fp we denote by a the unique square root
which is again a square; this can be computed as a(p+1)/4 . Finally, for B ∈ Z>0
we write [−B; B] for the set of integers [−B, B] ∩ Z.
3 Properties of Montgomery− curves

3.1 Montgomery− arithmetic: just a few sign flips
One of the advantages of Montgomery+ curves is that arithmetic on them can
be done very efficiently. Fortunately, this can easily be adjusted to work for
Montgomery− curves. E.g., the formulas for point doubling and differential ad-
dition, for use in the Montgomery ladder, take the following form.
5
−
Proposition 1. Let EA : y 2 = x3 + Ax2 − x be an elliptic curve over a field K
−
of characteristic different from two, with P, Q ∈ EA (K).
1. If P = ∞ or x(P )3 + Ax(P )2 − x(P ) = 0, then 2P = ∞. Else
(x(P )2 + 1)2
x(2P ) = .
4(x(P )3 + Ax(P )2 − x(P ))
2. If {P, Q, P + Q, P − Q} ∩ {∞} = ∅, then
(x(P )x(Q) + 1)2

x(P + Q)x(P − Q) = .
(x(P ) − x(Q))2
Proof. This is almost a copy of the corresponding proofs in [2].
Likewise, computing odd degree isogenies between Montgomery− curves just

amounts to a few sign changes with respect to the formulas from [19, Prop. 1],
leading to the following statement (we will treat 2-isogenies separately in Sec-
tion 4).
−
Proposition 2. Let EA : y 2 = x3 + Ax2 − x be an elliptic curve over a field of
−
characteristic not two. Let G ⊆ EA (K) be a finite subgroup such that |G| is odd,
and let φ be a separable isogeny such that ker(φ) = G. Then there exists a curve
−
EB : y 2 = x3 + Bx2 − x such that, up to composition with an isomorphism,
− −
φ : EA → EB
(x, y) 7→ (f (x), c0 yf 0 (x)),
where
Y xxT + 1
f (x) = x .
x − xT
T ∈G\{∞}
Writing
Y X 1
π= xT , σ= xT + ,
xT
T ∈G\{∞} T ∈G\{∞}
we also have that B = π(A − 3σ), c20 = π.
Proof. Let i, θ ∈ K̄ be such that i2 = −1 and θ2 = i, and let ` = |G|. We will

construct the isogeny φ as the concatenation of φ3 ◦ φ2 ◦ φ1 as illustrated in the
following diagram,
− φ −
EA EB
φ1 φ3
φ2
Ea+ Eb+
6
where φ2 : Ea+ → Eb+ is the isogeny from [19, Prop. 1], and the elliptic curves
are given by the Montgomery+ forms Ea+ : y 2 = x3 + ax2 + x and Eb+ : y 2 =
x3 + bx2 + x.
The isogenies φ1 and φ3 are in fact isomorphisms (over an extension field)
given by
−
φ1 : EA → Ea+
(x, y) 7→ (−ix, θy)
and
−
φ3 : Eb+ → EB
(x, y) 7→ (ix, −iθy).
It is easy to verify that a = −iA and B = ib. The rest of the proof is just a
straightforward calculation. With the formulas from [19] we can compute the
coefficient b as π̃(a − 3σ̃) = (−i)` π(A − 3σ) where
Y Y
π̃ = xT = −ixT = (−i)`−1 π,
T ∈φ1 (G)\{∞} T ∈G\{∞}
X X
1 1
σ̃ = xT − = −ixT + = −iσ.
xT ixT
T ∈φ1 (G)\{∞} T ∈G\{∞}
Similarly if we define
 
Y
xxT − 1 
f˜ = x  ,
x − xT
T ∈φ1 (G)\{∞}
2
then with c˜0 = π̃ = (−i)`−1 π, we have

(φ2 ◦ φ1 )(x, y) = f˜(−ix), c˜0 θy f˜0 (−ix)
 
Y
−ixxT − 1
= −ix , c˜0 θy f˜0 (−ix)
−ix − xT
T ∈φ1 (G)\{∞}
 
Y
 −xxT − 1 ˜
= −ix , c˜0 θy f (−ix)
0
−ix + ixT
T ∈G\{∞}

= −i` f (x), c˜0 θy f˜0 (−ix)

= −i` f (x), c˜0 θy(−i)`−1 f 0 (x) .
If we assume ` ≡ 1 mod 4 then (−i)`−1 = 1 such that c˜0 is just a square root
of π. Composing this with φ3 (x, y) = (ix, −iθy) we get that
φ(x, y) = (f (x), c˜0 yf 0 (x)),
7
as well as B = π(A − 3σ). In this case we let c0 = c˜0 .
If ` ≡ 3 mod 4 then c˜0 2 = −π and the isogeny may not be defined over K.
Post-composing it with the isomorphism τ : (x, y) 7→ (−x, iy) fixes this if needed.
In this case we find
φ(x, y) = (f (x), −ic˜0 yf 0 (x)),
and again B = π(A − 3σ). Defining c0 = −ic˜0 finishes the proof.
As usual, it is better to use projective coordinates to avoid costly field inver-
sions, i.e., to represent the x-coordinate of a projective point P = (X : Y : Z)
as x(P ) = X/Z; the required adaptations are straightforward.
3.2 Locating supersingular Montgomery± curves

We now switch to curves over finite prime fields Fp . The lemma below shows that
supersingular Montgomery− curves over Fp are always located on the surface.
−
Lemma 1. Let p > 3 be a prime number and let A ∈ Fp be such that EA : y2 =
−
x3 + Ax2 − x is supersingular. Then p ≡ 3 mod 4, and there is no P ∈ EA (Fp )
− ∼ √
such that 2P = (0, 0); in particular, Endp (EA ) = Z[(1 + −p)/2].
Proof. Let P be a point doubling to (0, 0); note that, necessarily, both coordi-
nates are non-zero. The tangent line at P has slope
3x(P )2 + 2Ax(P ) − 1
.
2y(P )
But, since the line should pass through (0, 0), a simpler expression for this slope
is y(P )/x(P ). Equating both expressions leads to x(P )2 + 1 = 0. Now:
– If p ≡ 1 mod 4 then we conclude x(P ) = ±i ∈ Fp and hence y(P )2 = −A∓2i.
If both expressions on the right-hand side are non-squares then their product
A2 + 4 is a square, but then x3 + Ax2 − x factors completely over Fp . We
−
conclude that in any case 4 | |EA (Fp )| = p + 1, which is a contradiction.
– If p ≡ 3 mod 4 then this shows that such a point P cannot be Fp -rational.
But then EA −
(Fp )[2∞ ] ∼
= Z/(2e ) × Z/(2) for some e ≥ 1, since |EA −
(Fp )| =
p + 1 ≡ 0 mod 4. Thus there are 3 outgoing Fp -rational 2-isogenies, hence in
view of [13, Thm. 2.7] our curve must be located on the surface.
The conclusion p ≡ 3 mod 4 also applies to supersingular Montgomery+ curves,
since it is known [2] that these always carry an Fp -rational point of order 4.
So, from now on, let us assume that p ≡ 3 mod 4. Then the above lemma
settles the ‘if’ part of Proposition 4 below, which can be viewed as the surface
version of the following statement:
Proposition 3. Let p > 3 be a prime number such that p ≡ 3 mod 4 and let
√
E be a supersingular elliptic curve over Fp . If Endp (E) ∼
= Z[ −p] then there
exists a coefficient a ∈ Fp \ {±2} for which E is Fp -isomorphic to the curve
Ea+ : y 2 = x3 + ax2 + x. Furthermore,
8
– this coefficient is always unique,
– if p ≡ 3 mod 8 then the converse implication holds as well.
Proof. If p ≡ 3 mod 8 then this is [7, Prop. 8]. If p ≡ 7 mod 8 then the relevant
part of the proof of [7, Prop. 8] still applies.
Proposition 4. Let p > 3 be a prime number such that p ≡ 3 mod 4 and let E
√
be a supersingular elliptic curve over Fp . Then Endp (E) ∼ = Z[(1 + −p)/2] if
and only if there exists a coefficient A ∈ Fp for which E is Fp -isomorphic to the
−
curve EA : y 2 = x3 + Ax2 − x. Furthermore,
– if p ≡ 3 mod 8 then there exist exactly three such coefficients,
– if p ≡ 7 mod 8 then this coefficient is unique.
We will prove this proposition by means of the following convenient tool,
connecting floor and surface:
Lemma 2. Let p > 3 be a prime number such that p ≡ 3 mod 4. Then
p
+ √
τ : Sp,Z[ −p]
→ Sp− : a 7→ −2a/ 4 − a2
is a well-defined bijection.
Proof. For a, b ∈ Fp with a2 − 4b 6= 0 let us write Ea,b for the elliptic curve
y 2 = x3 + ax2 + bx, which admits the well-known 2-isogeny
(
y(P )2 b
Ea,b → E−2a,a2 −4b : P 7→ x(P )2 , y(P )(1 − x(P )2 ) if P 6= (0, 0), ∞ (2)
∞ if P ∈ {(0, 0), ∞}.
+ √
If a ∈ Sp,Z[ −p]
then we find that Ea+ = Ea,1 is 2-isogenous to the curve
E−2a,a2 −4 : y 2 = x3 − 2ax2 + (a2 − 4)x,
which is necessarily supersingular. Since Ea+ lives on the floor we see 2

√ that a − 4
is not a square in Fp , hence 4 − a2 is a square and letting δ = 4 − a2 , the
substitution
√ x ← δx, y ← δ 3/2 y transforms the above equation into y 2 = x3 −
2a/ 4 − a2 x2 − x. We conclude that τ is indeed well-defined.
−
Conversely, if A ∈ Sp− then we find that EA = EA,−1 is 2-isogenous to
E−2A,A2 +4 : y 2 = x3 − 2Ax2 + (A2 + 4)x.

− 2
Since EA lives on the
√ surface by Lemma 1, we have that A + 4 is a square
in Fp . Letting δ = √ A2 + 4, the same substitution transforms our equation
into y 2 = x3 − 2A/ A2 + 4x2 + x. It is easily checked that this curve has no
Fp -rational points of order 2 besides (0, 0), hence the map
p
Sp− → Sp,Z[
+ √
−p]
: A 7→ −2A/ A2 + 4 (3)
is also well-defined. An easy calculation shows that it is an inverse of τ .
9
Proof of Proposition 4. By Proposition 3 each Fp -isomorphism class of elliptic
curves on the floor is represented by a unique Montgomery+ curve. Since such
curves have a unique Fp -rational point of order 2, the proof of Lemma 2 shows
√
that Fp -rational 2-isogenies give a 1-to-1 correspondence between E``p (Z[ −p])
and Sp− . But on the level of Fp -isomorphism classes, by [13, Thm. 2.7] this cor-
respondence is 3-to-1 if p ≡ 3 mod 8 and 1-to-1 if p ≡ 7 mod 8.
If p ≡ 7 mod 8 then Proposition 3 leaves open whether or not there exist
a ∈ Sp+ such that Ea+ is located on the surface. To answer this, we rely on the
following lemma.
√
Lemma 3. If p ≡ 7 mod 8 then every E ∈ E``p (Z[(1 + −p)/2]) comes with
three distinguished points of order 2:
– P − , the x-coordinates of whose halves are not defined over Fp ,
– P1+ , whose halves are not defined over Fp , but their x-coordinates are,
– P2+ , whose halves are defined over Fp .
Proof. From the structure of E(Fp )[2∞ ] one sees that there is indeed a unique
point P2+ of order 2 whose halves are Fp -rational. If we position P2+ at (0, 0) we
find a model y 2 = x3 + ax2 + bx, where necessarily b is a square, as can be seen
by mimicking the proof of Lemma 1. When translating the other points of order
2 to the origin we get√similar equations, of which the coefficients at x become
δ(δ ± a)/2 with δ = a2 − 4b. The product of these coefficients equals −bδ 2 ,
hence we conclude that one coefficient is a non-square and one coefficient is a
square. So, again as in the proof of Lemma 1, we see that the former translated
point equals P − , while the latter translated point equals P1+ .
√
Corollary 1. If p ≡ 7 mod 8 then each E ∈ E``p (Z[(1 + −p)/2]) admits ex-
actly 2 coefficients a ∈ Fp \ {±2} for which E is Fp -isomorphic to the curve
Ea+ : y 2 = x3 + ax2 + x.
Proof. By Proposition 4, such curves admit a unique Montgomery− model. Note
that, for this model, P − is positioned at (0, 0). The two Montgomery+ models
are obtained by translating P1+ or P2+ to (0, 0) and scaling down the resulting
b-coefficient (which is a square) to 1, by means of a coordinate change.
Table 1 summarizes how and with what frequency Montgomery± curves show
up as representatives of Fp -isomorphism classes of supersingular elliptic curves.
Figures 1 and 2 give an accompanying visual representation.
4 2-isogenies between Montgomery− curves

In this section we assume that p ≡ 7 mod 8 and we consider the maximal order
√ √ √
Z[(1 + −p)/2], in which (2) = (2, ( −p − 1)/2)(2, ( −p + 1)/2). We describe
a fast method for computing the repeated action of one of the factors as a chain
of 2-isogenies. This relies on the following remarkably precise statement (recall
our convention on square roots!):
10
Sp−
h √ i
1+ −p
E``p (Z 2
)
√
E``p (Z[ −p])
Sp+
Fig. 1. The supersingular isogeny graph over Fp with p ≡ 3 mod 8. The black dots
represent supersingular elliptic curves up to Fp -isomorphism. The yellow lines represent
the 2-isogenies, which are necessarily between the surface and the floor.
The purple lines represent the `-isogenies for some fixed ` such that (`, π − 1) generates
√
C`(Z[ −p]). This implies that the `-isogenies on the floor create one big cycle which
we need to depict as spiraling around three times. Indeed, the action of (`, π − 1) on the
surface should result in the same Fp -isomorphism class as first computing a vertical
2-isogeny taking us to the floor, then performing the action of (`, π − 1), and finally
computing a vertical 2-isogeny back to the surface.
The red dots and lines represent the Montgomery+ coefficients, which are 1-to-1 with
the isomorphism classes on the floor. This correspondence forms the basis for the
original CSIDH setting described in [7].
The blue dots and lines represent the Montgomery− coefficients, which are 3-to-1 with
the isomorphism classes on the surface.
11

+
|Sp,O | : |E``p (O)| |Sp− | : |E``p (O)|
h √ i
1+ −p
O=Z 0 (3 : 1)
p ≡ 3 mod 8 2
√
O = Z[ −p] (1 : 1) 0
h √ i
O = Z 1+ 2 −p (2 : 1) (1 : 1)
p ≡ 7 mod 8
√
O = Z[ −p] (1 : 1) 0
p ≡ 1 mod 4 0 0
Table 1. The ratio of the number of Montgomery± coefficients to the number of

Fp -isomorphism classes of supersingular elliptic curves.
Sp−
S+ h √ i
p,Z 1+ 2 −p
h √ i
1+ −p
E``p (Z 2
)
√
E``p (Z[ −p])
+
Sp,Z √
[ −p]
Fig. 2. The supersingular isogeny graph over Fp with p ≡ 7 mod 8. The black dots
represent supersingular elliptic curves up to Fp -isomorphism. The yellow lines represent
√
the 2-isogenies, where we assumed that (2, ( −p − 1)/2) generates the class group.
The red dots and lines represent the Montgomery+ coefficients, which are 2-to-1 with
the isomorphism classes on the surface and 1-to-1 with the isomorphism classes on the
floor.
The blue dots and lines represent the Montgomery− coefficients, which are 1-to-1 with
the isomorphism classes on the surface.
Unlike in Figure 2, no `-isogenies for odd ` are depicted here since it is more natural
to draw the cycle of 2-isogenies on the surface.
12
Lemma 4 (Addendum to Lemma 3). Assume p ≡ 7 mod 8 and consider √ an
√
elliptic curve E : y 2 = x3 + ax2 + bx ∈ E``p (Z[(1 + −p)/2]). Let δ = a2 − 4b
and T1 = ((−a + δ)/2, 0), T2 = ((−a − δ)/2, 0). Then:
1. if (0, 0) = P − then T1 = P2+ and T1 = P1+ ,
2. if (0, 0) = P1+ then T1 = P2+ and T2 = P − ,
3. if (0, 0) = P2+ then T1 = P − and T2 = P1+ .
Proof. The change of coordinates x ← x + (−a + δ)/2 yields

−a + δ −a + 3δ 2 δ(−a + δ)
y2 = x x + (x + δ) = x3 + x + x (4)
2 2 2
and positions T1 at the origin. As in the proof of Lemma 1 we see that T1 = P1+
or T1 = P2+ if and only if the coefficient δ(−a + δ)/2 is a square, i.e., if and only
if −a + δ is a square.
In particular, for case 2 it suffices to show that −a + δ is a square. To this
end, note that the 2-isogeny from the proof of Lemma 2 takes our input curve
E : y 2 = x3 + ax2 + bx to y 2 = x3 − 2ax2 + δ 2 x, while mapping P2+ to (0, 0).
But then an Fp -rational half of P2+ is pmapped to an Fp -rational half of (0, 0),
which is necessarily of the form (±δ, 2δ 2 (−a ± δ)). We conclude that at least
one of −a + δ or −a − δ is a square, but then both elements are squares since
their product equals the square 4b.
Similarly, for case 3 it suffices to prove that −a + δ is not a square. We can
consider the same 2-isogeny, which now maps P1+ to (0, 0). Using that any point
Q ∈ E(Fp2 \ Fp ) doubling to P1+ satisfies πE (Q) = −Q, which is different from
both Q and Q + (0, 0), we conclude that the image of P1+ cannot be Fp -halvable.
From this the desired conclusion follows.
Finally, to settle case 1, consider the curve (4), whose point (0, 0) is either
P1+ or P2+ . Also note that the first non-trivial factor in (4) corresponds to P − .
But using the identity
2 2
−a + 3δ δ(−a + δ) a+δ
−4 = ,
2 2 2
we can rewrite (4) as
! !
− −a+3δ + a+δ
− −a+3δ − a+δ
y2 = x x − 2 2
x− 2 2
.
2 2
Using 2 and the fact that (a + δ)/2 is a square, we see that if (0, 0) = P1+ , then
the first non-trivial factor of (4) would instead correspond to P2+ . We conclude
that (0, 0) = P2+ , from which the lemma follows.
This will be combined with the following fact:
√
Lemma 5. Assume that p ≡ 7 mod 8 and let E ∈ E``p (Z[(1 + −p)/2]). Then
√ √
−p − 1 −p + 1
E 2, = hP2+ i and E 2, = hP1+ i.
2 2
13
Proof. As in the proof of Lemma 2 one checks that P − takes us down to the floor,
so it suffices to prove the first equality. Let Q ∈ E(Fp ) be such that 2Q = P2+
and let φ denote the endomorphism πE2−1 , then φ(P2+ ) = φ(2Q) = 2φ(Q) =
πE (Q) − Q = ∞, from which the statement follows.
The formulas to compute 2-isogenies between Montgomery− curves seem

easiest if we perform almost all of them on isomorphic Montgomery+ curves. We
formulate the procedure in the form of an algorithm.
√
Algorithm 1 Computing the action of (2, ( −p − 1)/2)e on A ∈ Sp− , with
p ≡ 7 mod 8
1: if e = 0 then return A
2: else
3: A ← sign(e)
√· A
A−3 2 +4
4: A←2 √A
A+ A2 +4
5: for i from 2 to e √
do
6: A ← 2(3 + √ A( A2 − 4 − A))
A+3 A2 −4
7: A ← r √ √
2 A2 −4 A+ A2 −4
8: return sign(e) · A
Sketch of the proof of Algorithm 1. Note that quadratic twisting swaps the roles
of P1+ and P2+ , so with Lemma 5 in mind, we can simply flip the sign of A at
the start and the end of the algorithm and focus on P2+ . Line 4 constitutes
a translation x ← x + (−a + δ)/2, which by Lemma 4 positions T1 = P2+
at the origin, followed by the 2-isogeny from (2) and a rescaling to obtain a
Montgomery+ curve.
Line 6 is immediate from [19, Proposition 2], where it should be noted that,
due to our choice of canonical square root, x(P2+ ) is always a square so that we
do not need to consider possible twists. Line 7 is just a translation followed by
a rescaling to put everything back in Montgomery− form.
5 ‘New’ hard homogeneous spaces
For each non-zero entry of Table 1 we obtain a specialization of Theorem 1. For

instance, Theorem 2 corresponds to the entry covering Montgomery+ curves,
√
primes p ≡ 3 mod 8 and endomorphism ring O = Z[ −p]. The main goal of
this section is to prove Theorem 3, which takes care of two further entries,
namely those corresponding to Montgomery− curves, primes p ≡ 3, 7 mod 8 and
√
endomorphism ring O = Z[(1 + −p)/2]:
14
Proof of Theorem 3. If p ≡ 7 mod 8 then this follows immediately from Theo-
rem 1, along with Proposition 2 and the fact that each Fp -isomorphism class on
the surface is represented by exactly one Montgomery− curve.
If p ≡ 3 mod 8 then consider the bijection τ from Lemma 2, and let ρ+ be
the group action from Theorem 2. We then define
√
C`(Z[ −p]) × Sp− → Sp− : ([a], A) 7→ τ (ρ+ ([a], τ −1 (A))),
which is clearly a well-defined free and transitive group action, simply because τ
is a bijection. So it suffices to show that this matches with ρ− . For this, consider
√
a Montgomery− coefficient A and an invertible ideal a ⊆ Z[ −p] having odd
− −
norm, along with the subgroup of EA spanned by EA [a] and (0, 0). We quotient
out this subgroup in the following two ways:
−
– We first quotient out by EA [a], using the formulas from Proposition 2, yield-
−
ing a Montgomery− curve EB . Let us abusingly denote the corresponding
−
isogeny by ρ , and note that it maps (0, 0) to (0, 0). So we can continue
by applying the 2-isogeny from (2), in order to arrive at the Montgomery+
curve Eτ+−1 (B) on the floor.
– Conversely, we apply the 2-isogeny from (2), taking us to the Montgomery+
−
curve Eτ+−1 (A) . Note that this maps EA [a] to Eτ+−1 (A) [a], which we quotient
out in turn, by means of the formulas from [19, Prop. 1]. By the same abuse
of notation, we denote the latter isogeny by ρ+ . Because every curve on the
floor is represented by a unique Montgomery+ coefficient, this necessarily
takes us to Eτ+−1 (B) .
Thus we obtain the diagram
− ρ− −
EA EB
θA θB
ρ+
Eτ+−1 (A) Eτ+−1 (B)
with θA and θB denoting the above 2-isogenies, where our reasoning in fact
shows that [±1] ◦ θB ◦ ρ− = ρ+ ◦ θA . This implies that [±2] ◦ ρ− = θ̂B ◦ ρ+ ◦ θA .
−
Multiplication by ±2 does not change the curve EB , so we are done.
Remark 2. Here are two examples of how the surface can help in understanding
the floor. We assume p ≡ 3 mod 8.
√
– Let a, a0 ∈ Sp+ be given and let [a] ∈ C`(Z[ −p]) be an unknown ideal class
such that a0 = [a] ? a (action by ρ+ on the floor). By the foregoing proof this
is equivalent with τ (a0 ) = [a] ? τ (a) (action by ρ− on the surface), which on
the level of Fp -isomorphism classes implies that
Eτ−(a0 ) ∼
= [ã] ? Eτ−(a) ,
15
√
where ã is the ideal of Z[(1 + −p)/2] generated by a. Clearly, in order
to find [a] it suffices to find [ã], and then simply try the 3 corresponding
√
possibilities for a. This confirms that the factor 3 in |C`(Z[ −p])| offers
little extra security to CSIDH. √ √
– If we want a fast evaluation of the action of [(4, −p − 1)] ∈ C`(Z[ −p]) on
+
Sp , this can be done by composing two 2-isogenies, thereby passing through
the surface using τ and τ −1 . We leave it as an exercise to verify that this
√
leads to the simple formula [(4, −p − 1)] ? a = 2(a − 6)/(a + 2), which was
first derived in [17, §4.2].
This leaves us with the two entries corresponding to Montgomery+ curves

and primes p ≡ 7 mod 8. This behaves less uniformly since some curves live on
the surface and some live on the floor, and in any case these entries seem of
lesser cryptographic interest.
√ √
If p ≡ 7 mod 8 then |C`(Z[ −p])| = |C`(Z[(1 + −p)/2])|. Hence in view of
Table 1 there are exactly 3 times as many supersingular Montgomery+ coeffi-
cients a ∈ Fp \{±2} as there are Fp -isomorphism classes of supersingular elliptic
curves:
– Under the map a 7→ Ea+ , one third of these are in a 1-to-1 correspondence
√
with E``p (Z[ −p]). In particular, Theorem 2 remains valid for p ≡ 7 mod 8,
+ √
provided that we replace Sp+ with Sp,Z[ −p]
.
– According to the proof of Corollary 1, the other two thirds split into
+ +
Sp,Z[(1+√
−p)/2],1
= { a ∈ Sp,Z[(1+√
−p)/2]
/ 2Ea+ (Fp ) }
| (0, 0) ∈
and
+ +
Sp,Z[(1+√
−p)/2],2
= { a ∈ Sp,Z[(1+√
−p)/2]
| (0, 0) ∈ 2Ea+ (Fp ) },
√
and both sets are in a 1-to-1 correspondence with E``p (Z[(1 + −p)/2]).
Since the instantiated versions of Vélu’s formulae map (0, 0) to (0, 0), in
√
the statement of Theorem 2 we are equally allowed to replace Z[ −p] with
√ +
Z[(1 + −p)/2] and Sp+ with Sp,Z[(1+ √
−p)/2],i
, for any choice of i = 1, 2.
Remark 3. The latter setting again allows for horizontal 2-isogenies, therefore
it should give rise to very similar timings as those reported upon in Section 6.
One minor drawback is that Alice and Bob should agree on the value of i and
validate each other’s public keys as such; moreover 0 can no longer be used as a
starting coefficient.
Remark 4. Alternatively, it is natural to view

+ +
Sp,Z[(1+√
−p)/2],1
and Sp,Z[(1+√
−p)/2],2
as two orbits under the free but non-transitive action

√ + +
ρ+ : C`(Z[(1 + −p)]) × Sp,Z[(1+ √
−p)/2]
→ Sp,Z[(1+√
−p)/2]
16
described by the same formulae. Using that the quadratic twisting map Ea+ 7→
+
E−a jumps back and forth between the two orbits, along with the fact that
[a] ? E t ∼
= ([a]−1 ? E)t (see e.g. [8, Lem. 5]), the two orbits can be glued together
√
into a single orbit under an action by the dihedral group Dih C`(Z[(1+ −p)/2]).
6 Implementation
We assume that the reader is familiar with how CSIDH is being set up in prac-
tice [7]. In this section we use Theorem 3 and Algorithm 1 to design a variant of
CSIDH acting on Sp− rather than Sp+ . Recall from [7] that CSIDH-512 uses the
prime
p = 4 · (3 · . . . · 373) · 587 − 1 ≈ 2510.668 ,
| {z }
73 first odd primes
and then samples exponents from the range [−5; 5]74 to represent an element in
the class group and let it act on 0 ∈ Sp+ , for a conjectured 128 bits of classical
security. Concretely, the exponent vector (e1 , . . . , e74 ) in this case represents
√ √
the class group element (3, −p − 1)e1 · · · (587, −p − 1)e74 . For the sake of
comparison, we propose CSURF-512 which works over Fp where
p = 23 · 3 · (3 · . . . · 389) − 1 ≈ 2512.880 .
| {z }
74 consecutive primes,
skip 347 and 359
This prime will speed up the computation of a class group action in multiple
ways. First of all, the largest isogeny we need to compute is of degree 389 instead
of 587. Secondly, p+1 carries an extra factor 3 that can help with sampling points
of order 3 to compute 3-isogenies. Indeed, finding an `-torsion point typically
amounts to sampling a random point P and multiplying it by (p+1)/`, which has
a 1/` chance of failure (i. e. we end up in ∞). For CSURF-512 we can multiply
a random point P by both (p + 1)/9 and (p + 1)/3 to try and find a point of
order 3, improving our chance of failure to only 1/9.
The biggest speed-up however stems from the fact that p ≡ 7 mod 8, so we
now have 2 as a 75th prime to use. Furthermore 2-isogenies are very fast due
to their simple and explicit formulae, see Algorithm 1, so we can sample the
exponent for 2 from a much larger interval. In practice we evaluate these 2-
isogenies first, without pushing through points, and then proceed with the other
primes as in CSIDH.
We implemented both CSIDH-512 and CSURF-512 in Magma [6] to compare
their performance. With the exception of 2-isogenies, both implementations are
totally similar, making use of the (projective) Montgomery ladder, the pushing
through of points, etc., the only differences being the sign switches discussed in
Section 3.1. However, we did not implement any of the constant-time measures
since these are orthogonal to the speed-up we described. Based on experiments,
a near-optimal set to sample exponent vectors from seems to be
I = [−137; 137] × [−4; 4]3 × [−5; 5]46 × [−4; 4]25 ,
17
which results in 275 · 928 · 1146 ≈ 2255.995 distinct secret vectors. As in CSIDH-
512, we heuristically expect that these vectors represent the elements in the
class group quasi-uniformly, by mimicking the reasoning from [7, §7.1]. Note
that for 3-, 5- and 7-isogenies we sample from a smaller interval, since the ease of
computing the isogeny is outweighed by the high failure probability of finding the
needed torsion points. Sampling from this specific set of exponent vectors gives
CSURF-512 a speed-up of about 5.68% compared to CSIDH-512; this estimate
is based on an experiment generating 25 000 public keys in both settings. Our
source code can be found at https://github.com/TDecru/CSURF.
As a final remark, we note that the advantage of working on the surface
is expected to diminish when the underlying prime p becomes larger, since the
relative contribution of 2-isogenies will decrease. This is especially relevant given
the ongoing discussion about the conjectured quantum security of the protocol,
see for example [5,18,3]. However, if p ≡ 7 mod 8 then the surface will always
outperform the floor to some extent. This means that setting up these larger
instantiations of the CSIDH protocol should preferably be done on the surface,
in any case.
References
1. Berre Baelen. Post-quantum key-exchange: Using group actions from supersingular
elliptic curve isogenies. Master’s thesis, KU Leuven, 2019.
2. Daniel J Bernstein and Tanja Lange. Montgomery curves and the Montgomery lad-
der. In Topics in computational number theory inspired by Peter L. Montgomery,
pages 82–115. Cambridge University Press, 2017.
3. Daniel J. Bernstein, Tanja Lange, Chloe Martindale, and Lorenz Panny. Quantum
circuits for the CSIDH: optimizing quantum evaluation of isogenies. In Advances
in cryptology—EUROCRYPT 2019. Part II, volume 11477 of Lecture Notes in
Comput. Sci., pages 759–789. 2019.
4. Ward Beullens, Thorsten Kleinjung, and Frederik Vercauteren. CSI-FiSh: Efficient
isogeny based signatures through class group computations. In Steven Galbraith
and Shiho Moriai, editors, Advances in Cryptology – ASIACRYPT 2019, Part I,
pages 227–247, 2019.
5. Xavier Bonnetain and André Schrottenloher. Submerging CSIDH. IACR Cryptol-
ogy ePrint Archive, page 537, 2018.
6. Wieb Bosma, John Cannon, and Catherine Playoust. The Magma algebra system.
I. The user language. J. Symbolic Comput., 24(3-4):235–265, 1997. Computational
algebra and number theory (London, 1993).
7. Wouter Castryck, Tanja Lange, Chloe Martindale, Lorenz Panny, and Joost Renes.
CSIDH: An efficient post-quantum commutative group action. In Thomas Peyrin
and Steven Galbraith, editors, Advances in Cryptology – ASIACRYPT 2018, Part
III, pages 395–427, 2018.
8. Wouter Castryck, Lorenz Panny, and Frederik Vercauteren. Rational isogenies from
irrational endomorphisms. IACR Cryptology ePrint Archive, 2019:1202, 2019.
9. Daniel Cervantes-Vázquez, Mathilde Chenu, Jesús-Javier Chi-Domı́nguez, Luca
De Feo, Francisco Rodrı́guez-Henrı́quez, and Benjamin Smith. Stronger and faster
side-channel protections for CSIDH. In International Conference on Cryptology
and Information Security in Latin America, pages 173–193, 2019.
18
10. Jean-Marc Couveignes. Hard homogeneous spaces. IACR Cryptology ePrint
Archive, 2006:291, 2006.
11. Luca De Feo, Simon Masson, Christophe Petit, and Antonio Sanso. Verifiable
delay functions from supersingular isogenies and pairings. IACR Cryptology ePrint
Archive, 2019:166, 2019.
12. Luca De Feo and Michael Meyer. Threshold schemes from isogeny assumptions.
IACR Cryptology ePrint Archive, 2019:1288, 2019.
13. Christina Delfs and Steven D Galbraith. Computing isogenies between supersin-
gular elliptic curves over Fp . Designs, Codes and Cryptography, 78(2):425–440,
2016.
14. Xuejan Fan, Song Tian, Bao Li, and Xiu Xu. CSIDH on other form of elliptic
curves. IACR Cryptology ePrint Archive, 2019:1417, 2019.
15. Aaron Hutchinson, Jason LeGrow, Brian Koziel, and Reza Azarderakhsh. Further
optimizations of CSIDH: A systematic approach to efficient strategies, permuta-
tions, and bound vectors. IACR Cryptology ePrint Archive, 2019:1121, 2019.
16. Greg Kuperberg. Another subexponential-time quantum algorithm for the dihedral
hidden subgroup problem. In 8th Conference on the Theory of Quantum Compu-
tation, Communication and Cryptography, volume 22 of LIPIcs. Leibniz Int. Proc.
Inform., pages 20–34, 2013.
17. Hiroshi Onuki and Tsuyoshi Takagi. On collisions related to an ideal class of order
3 in CSIDH. IACR Cryptology ePrint Archive, 2019:1209, 2019.
18. Chris Peikert. He gives C-sieves on the CSIDH. IACR Cryptology ePrint Archive,
2019:725, 2019.
19. Joost Renes. Computing isogenies between Montgomery curves using the action of
(0, 0). In International Conference on Post-Quantum Cryptography, pages 229–247.
Springer, 2018.
20. Alexander Rostovtsev and Anton Stolbunov. Public-key cryptosystem based on
isogenies. IACR Cryptology ePrint Archive, 2006:145, 2006.
21. René Schoof. Nonsingular plane cubic curves over finite fields. J. Combin. Theory
Ser. A, 46(2):183–211, 1987.
22. Peter W Shor. Polynomial-time algorithms for prime factorization and discrete
logarithms on a quantum computer. SIAM review, 41(2):303–332, 1999.
23. Anton Stolbunov. Public-key encryption based on cycles of isogenous elliptic
curves. Master’s thesis, Saint-Petersburg State Polytechnical University, 2004. In
Russian.
24. Anton Stolbunov. Cryptographic Schemes Based on Isogenies. PhD thesis, Norwe-
gian University of Science and Technology, 2011.
19
Chapter 9
Radical isogenies
There are five elementary

arithmetical operations: addition,
subtraction, multiplication,
division, and modular forms.
Martin Eichler
Publication data
Wouter Castryck and Thomas Decru and Frederik Vercauteren (2020). Radical
Isogenies. In Advances in Cryptology - ASIACRYPT 2020 - 26th International
Security, Daejeon, South Korea, December 7-11, 2020, Proceedings, Part II (pp.
493–519). Springer.
Own contribution
My main contributions are the experimental results that introduced the concept
of radical isogenies, the implementation in Magma of the improved CSIDH, and
writing certain parts of the article.
139
Radical Isogenies
Wouter Castryck, Thomas Decru, and Frederik Vercauteren

wouter.castryck@kuleuven.be, thomas.decru@kuleuven.be,
frederik.vercauteren@kuleuven.be
imec-COSIC, KU Leuven, Belgium
Abstract. This paper introduces a new approach to computing iso-

genies called “radical isogenies” and a corresponding method to compute
chains of N -isogenies that is very efficient for small N . The method is
fully deterministic and completely avoids generating N -torsion points. It
is based on explicit formulae for the coordinates of an N -torsion point
P 0 on the codomain of a cyclic N -isogeny ϕ : E → E 0 , such that compos-
ing ϕ with E 0 → E 0 /hP 0 i yields a cyclic N 2 -isogeny. These formulae are
simple algebraic expressions in the coefficients of E, the coordinates of a
√
generator P of ker ϕ, and an N th root N ρ , where the radicand ρ itself
is given by an easily computable algebraic expression in the coefficients
of E and the coordinates of P . The formulae can be iterated and are
particularly useful when computing chains of N -isogenies over a finite
field Fq with gcd(q − 1, N ) = 1, where taking an N th root is a simple
exponentiation. Compared to the state-of-the-art, our method results in
an order of magnitude speed-up for N ≤ 13; for larger N , the advant-
age disappears due to the increasing complexity of the formulae. When
applied to CSIDH, we obtain a speed-up of about 19% over the imple-
mentation by Bernstein, De Feo, Leroux and Smith for the CSURF-512
parameters.
Keywords: Post-quantum cryptography, isogenies, Tate pairing, CSIDH.
1 Introduction
Isogeny-based cryptography is one of the more promising candidates for post-
quantum cryptography and although it is slower than lattice-based cryptography,
it has the advantage of smaller key and ciphertext sizes. Isogeny-based protocols
can be broadly categorized into two families: SIDH and CRS/CSIDH.
SIDH is a key agreement protocol introduced by Jao and De Feo in 2011 [16].
This protocol is based on random walks in isogeny graphs of supersingular elliptic
curves E over Fp2 , and is reminiscent of the CGL hash function due to Charles,
Goren and Lauter from 2009 [10]. The prime p is chosen such that the torsion
∗
This work was supported in part by the Research Council KU Leuven grants
C14/18/067 and STG/17/019, by CyberSecurity Research Flanders with reference
number VR20192203, and by the Research Foundation Flanders (FWO) through the
WOG Coding Theory and Cryptography.
subgroups E[2n ] and E[3m ] are defined over Fp2 , for large exponents n, m. The
random walks then correspond to choosing a random point P in E[2n ] or E[3m ]
and constructing the isogeny with kernel hP i, as a composition of isogenies of
degree 2 respectively 3.
CRS/CSIDH [8] takes a different approach and computes an action of the
ideal-class group cl(O) of some order O in an imaginary quadratic field on the set
E``p (O, t) of elliptic curves over a prime field Fp with Fp -rational endomorphism
ring O and trace of Frobenius t. The idea of using this class group action in
cryptography was independently proposed by Couveignes [13] and Rostovtsev-
Stolbunov [22] for ordinary elliptic curves. In [8] this idea was ported to the
supersingular case, resulting in a speed-up of several orders of magnitude. The
computation of the class group action boils down to computing chains of `-
isogenies for many small primes `, e.g., for CSIDH-512, ` ranges from 3 to 587.
This is in stark contrast with SIDH where only 2- and 3-isogenies are used.
In the CSIDH setting, computing an `-isogeny ϕ from an elliptic curve E/Fp
consists of two steps: first, a generator P of the kernel of ϕ is computed, i.e. an
Fp -rational point of order `, and secondly, given P , an equation for the isogenous
curve E/hP i is determined.
The most basic approach to solve the first step is to generate a random
point Q ∈ E(Fp ) and to multiply this by the cofactor #E(Fp )/`. Generating
a random point is essentially a square root computation at a cost of about
1.5 log p multiplications in Fp , and the multiplication by the cofactor can be
done using the Montgomery ladder [2] and takes roughly 11 log p multiplications
in Fp . Generating a point of order ` is thus a costly operation, even further
exacerbated by the fact that multiplication by the cofactor results in the point
at infinity OE with probability 1/`, which is non-negligible for small `. Note that
this also makes the algorithm non-deterministic, negatively affecting constant
time implementations. The cost of generating `-torsion points from scratch can
be mitigated somewhat by considering a chain of ì -isogenies for many different
primes ì . Instead of sampling
Qk an ì -torsion point for every ì -isogeny separately,
it is cheaper to sample an i=1 ì -torsion point and push it through the isogeny
to create a chain of isogenies of respective degrees `1 , `2 , . . . , `k , multiplying this
point with a cofactor that gets smaller in each iteration.
The second step is typically carried out using some form of Vélu’s formu-
lae [28], which compute the coefficients of E/hP i from the coefficients of E and
the coordinates of the scalar multiples of P . Vélu’s formulae can also be used
to compute the image ϕ(Q) of any point Q under the isogeny. The original im-
plementation of CSIDH uses these formulae on elliptic curves in Montgomery
form [8, 21], and requires O(`) arithmetic operations in Fp per `-isogeny. Since
then many optimizations to CSIDH have been proposed, such as:
– using different forms of elliptic curves, e.g. twisted Edwards curves [18, 19]
and Hessian curves [6]; √
– adapting Vélu’s formulae to only require O(e `) operations in Fp [1] instead
of O(`);
– changing CSIDH into CSURF to allow the use of very efficient 2-isogenies [7],
2
– lowering the number of `-isogenies that has to be computed for each ` [20, 11].
A number of alternative approaches have been considered that avoid the

generation of `-torsion points altogether, e.g. by using modular polynomials [3,
14] or division polynomials [3]. This leads to deterministic algorithms which can
outperform the above method using Vélu’s formulae for small `. Highly optimized
approaches exist for 2-isogenies [7] and 3-isogenies [6], where the speed-up stems
from two ingredients: firstly, an elliptic curve model is chosen that is nicely
adapted to 2-torsion (a variant of Montgomery curves) resp. 3-torsion (Hessian
curves). The second and main ingredient however is that the coefficients of E/hP i
can be expressed in terms of the coefficients of E and a single radical of a simple
algebraic expression in the coefficients of E. This radical is a square root for
2-isogenies and a cube root for 3-isogenies.
Contributions
The main contribution of this paper is the generalization of the aforementioned

special cases of 2- and 3-isogenies to all isogenies of any degree N ≥ 2.
Concretely, given an elliptic curve E with a point P of order N , one can use
Vélu’s formulae to compute a defining equation for E 0 = E/hP i. We present
accompanying formulae which produce a point P 0 on E 0 again of order N , such
that the composition
E → E 0 → E 0 /hP 0 i (1)
is a cyclic isogeny of degree N 2 . These formulae are algebraic expressions in
the coefficients of E and the coordinates of P , and one radical (an N th root)
of another algebraic expression in the coefficients of E and the coordinates of
P . An important implication of this construction is that the same formulae now
apply to E 0 and P 0 , which allows us to compute chains of N -isogenies of arbitrary
length without needing to generate an N -torsion point in every step. In practice,
we assume P = (0, 0), thereby suppressing its coordinates from the formulae.
More in detail, we proceed as follows: an elliptic curve E over a field K
together with a K-rational point P of order N ≥ 4 can be represented by the
Tate normal form
E : y 2 + (1 − c)xy − by = x3 − bx2 P = (0, 0), b, c ∈ K .
We then compute the curve E 0 = E/hP i using Vélu’s formulae. The point P 0 on
E 0 can be constructed as a pre-image of P under the dual isogeny ϕ̂ : E 0 → E,
which guarantees that the composition of ϕ with E 0 → E 0 /hP 0 i is cyclic of order
√
N 2 . Our central observation is that P 0 is defined over K(b, c, N ρ ) for some
ρ ∈ K(b, c) and we prove that one can take ρ = tN (P, −P ) where tN denotes the
Tate pairing. Indeed, since ϕ̂(P 0 ) = P and using the compatibility of the Tate
pairing with isogenies, we have
tN (P, −P ) = tN (ϕ̂(P 0 ), −ϕ̂(P 0 )) = tN (P 0 , −P 0 )deg ϕ̂ = tN (P 0 , −P 0 )N ,
3
p
which shows that the field of definition of P 0 must contain N tN (P, −P ), and
we show that this is also sufficient.
The fact that we only require one N th root explains the name “radical iso-
genies”. By rewriting (E 0 , P 0 ) again in Tate normal form with coefficients b0 and
c0 , we are ready for another iteration. The formulae we derive in fact express b0
√
and c0 directly as elements of K(b, c, N ρ ).
By specializing to finite fields Fq with gcd(q − 1, N ) = 1, we immediately
√
obtain that the radical N ρ is again defined over Fq , since N th powering is a
field automorphism in this case. We implemented our formulae and considered
two application scenarios: firstly, we show that using our formulae, chains of N -
isogenies can be computed much faster than using the state-of-the-art methods:
for N = 3, 5, 7 the best previous approach was to use modular polynomials and
we obtain speed-ups of factors 9, 18 and 27. For N = 11, 13, the best previous
approach was to generate N -torsion points in combination with Vélu’s formu-
lae and our radical isogenies outperform this by factors 12 and 5 respectively.
Secondly, we implemented a version of CSIDH using radical isogenies for all
primes ≤ 13 and obtain a speedup of 19% over the state of the art implementa-
tion [1].
Paper organization
Section 2 briefly recaps the necessary background on isogenies, division polyno-

mials, the Tate normal form, the Tate pairing, simple radical extensions, and
isogeny-based protocols. Section 3 proves the existence of radical isogeny for-
mulae, while Section 4 works out these formulae explicitly for small values of
N . Section 5 discusses how our formulae perform when computing chains of
N -isogenies, while Section 6 reports on an improved implementation of CSIDH
using radical isogenies. Finally, Section 7 concludes the paper and lists a number
of open problems.
Acknowledgments
We are very grateful to Karl Rubin and Alice Silverberg who provided insights
on how an earlier approach to proving Theorem 5 using the theory of modular
curves was related to known results. We are also much indebted to Shahed Sharif
whose remarks pointed us in the direction of the more direct approach using Tate
pairings presented below. We finally thank Marc Houben for pointing out a typo,
and several other attendants of the online “Workshop on the Mathematics of
Post-Quantum Crypto”, held during June 6–8, 2020, for further helpful feedback.
2 Background
Throughout this section we let K denote an arbitrary field.
4
2.1 Isogenies and Vélu’s formulae
Let E and E 0 be elliptic curves over K. An isogeny ϕ : E → E 0 is a non-constant

morphism such that ϕ(OE ) = OE 0 , where OE , OE 0 denote the respective points
at infinity. The degree of ϕ is its degree as a morphism and there always exists
a dual isogeny ϕ̂ : E 0 → E such that ϕ̂ ◦ ϕ = [deg(ϕ)], where as usual [·]
denotes scalar multiplication. The kernel of ϕ is a finite subgroup of E, more
precisely its size is a divisor of deg(ϕ), where equality holds if and only if ϕ
is separable (which is automatic if char K - deg(ϕ)). Conversely, given a finite
subgroup C ⊂ E, there exists a unique1 separable isogeny ϕ having C as its
kernel. Concrete formulae for this isogeny were given by Vélu:
Theorem 1. Let C be a finite subgroup of the elliptic curve
E : y 2 + a1 xy + a3 y = x3 + a2 x2 + a4 x + a6
over K. Fix a partition C = {OE } ∪ C2 ∪ C + ∪ C − , where C2 are the order

2 points of C, and C + and C − are such that for any P ∈ C + it holds that
−P ∈ C − . Write S = C + ∪ C2 , and for Q ∈ S define
x
gQ = 3x(Q)2 + 2a2 x(Q) + a4 − a1 y(Q),
y
gQ = −2y(Q) − a1 x(Q) − a3 ,
(
x
y 2 gQ if 2Q = OE ,
uQ = (gQ ) , vQ = x y
2gQ − a1 gQ else,
X X
v= vQ , w = (uQ + x(Q)vQ ),
Q∈S Q∈S
A1 = a1 , A2 = a2 , A3 = a3 ,
A4 = a4 − 5v, A6 = a6 − (a21 + 4a2 )v − 7w.
Then the separable isogeny ϕ with domain E and kernel C has codomain E 0 =
E/C with Weierstrass equation
E 0 : y 2 + A1 xy + A3 y = x3 + A2 x2 + A4 x + A6 (2)
over K. Furthermore, for P ∈ E we can compute the image of P as

X
x(ϕ(P )) = x(P ) + (x(P + Q) − x(Q))
Q∈C\{OE }
X
y(ϕ(P )) = y(P ) + (y(P + Q) − y(Q)).
Q∈C\{OE }
Proof. See [28].

1
Up to post-composition with an isomorphism.
5
2.2 Division polynomials
Let E/K be defined by y 2 +a1 xy+a3 y = x3 +a2 x2 +a4 x+a6 , and let b2 = a21 +4a2 ,
b4 = 2a4 + a1 a3 , b6 = a23 + 4a6 , b8 = a21 a6 + 4a2 a6 − a1 a3 a4 + a2 a23 − a24 . For all
integers N ≥ 0, the N -division polynomial is given by
Y
ΨE,0 = 0, ΨE,1 = 1, ΨE,2 = 2y +a1 x+a3 , ΨE,N = t· (x−x(Q)),
Q∈(E[N ]\E[2])/±
where t = N if N is odd and t = N2 ·ΨE,2 if N is even. By definition, we have that

for any non-trivial P ∈ E[N ], ΨE,N (P ) = 0. The division polynomials satisfy
the following recurrence relation which allows them to be computed efficiently:
ΨE,3 = 3x4 + b2 x3 + 3b4 x2 + 3b6 x + b8

ΨE,4
= 2x6 + b2 x5 + 5b4 x4 + 10b6 x3 + 10b8 x2 + (b2 b8 − b4 b6 )x + (b4 b8 − b26 )
ΨE,2
3 3
ΨE,2N +1 = ΨE,N +2 ΨE,N − ΨE,N −1 ΨE,N +1 if N ≥ 2
ΨE,N 2 2
ΨE,2N = (ΨE,N +2 ΨE,N −1 − ΨE,N −2 ΨE,N +1 ) if N ≥ 3.
ΨE,2
2
Note that ΨE,2 = 4x3 + (a21 + 4a2 )x2 + (2a1 a3 + 4a4 )x + a23 + 4a6 , i.e. a univariate
polynomial in x.
If one is interested in points of exact order N (so not just in E[N ]), then one
can use the reduced N -division polynomial ψE,N defined as
ΨE,N
ψE,N = .
lcmd|N,d6=N {ΨE,d }
For all primes `, we have that ΨE,` = ψE,` . Note that for N > 2, the reduced
N -division polynomial of an elliptic curve E is a univariate polynomial in x.
The multiplication by N -map can be expressed explicitly using division poly-
nomials as follows [23, Exercise 3.6]:

φE,N (P ) ωE,N (P )
[N ]P = 2
, 3
, (3)
ΨE,N (P ) ΨE,N (P )
2 1
with φE,N = xΨE,N −ΨE,N +1 ΨE,N −1 and ωE,N = 2ΨE,N (ΨE,2N −ΨE,N (a1 φE,N +
2
a3 ΨE,N )).
2.3 The Tate normal form
We will be interested in elliptic curves E over K with a distinguished point

P ∈ E(K) of some finite order N . By translating this point to (0, 0) and requiring
that the tangent line is horizontal, and with proper scaling, one can easily prove
the following lemma; we refer to [25, Lem. 2.1] for further details.
6
Lemma 2. Let E be an elliptic curve over K and let P ∈ E(K) be a point of
order N ≥ 4, then (E, P ) is isomorphic to a unique pair of the form
E : y 2 + (1 − c)xy − by = x3 − bx2 , P = (0, 0) (4)
with b, c ∈ K and
∆(b, c) = b3 (c4 − 8bc2 − 3c3 + 16b2 − 20bc + 3c2 + b − c) 6= 0 .
The resulting curve-point pair is said to be in Tate normal form.

Given a Tate normal form, the first few scalar multiples of P = (0, 0) are
given by simple expressions in b and c, e.g.
2P = (b, bc), 3P = (c, b − c), −P = (0, b), −2P = (b, 0), −3P = (c, c2 ) .
Higher multiples can be computed using (3). Using these multiples, for each
N ≥ 4 one can write down an irreducible polynomial FN (b, c) ∈ Z[b, c] whose
vanishing, along with the non-vanishing of ∆(b, c) and of Fm (b, c) for 4 ≤ m < N ,
expresses that P has exact order N . For instance, for N = 4 we find the equation
F4 (b, c) = c = 0, by imposing that 3P = −P . Similarly, for N = 5 we find
F5 (b, c) = c − b = 0 and for N = 6 we find F6 (b, c) = c2 + c − b = 0. Further
examples can be found in Table 1 below. Alternatively, the polynomial FN (b, c)
can be recovered as a factor of the constant term of the N -division polynomial
of the curve (4), when considered over the rational function field Q(b, c). This is
the approach taken in [25, §2], to which we refer for more details.
Remark 3. Up to birational equivalence, FN (b, c) is a defining polynomial for
the modular curve X1 (N ). See again [25] for more background.
2.4 The Tate pairing

Given an elliptic curve E/K and an integer N ≥ 2, the Tate pairing is a bilinear
map
tN : E(K)[N ] × E(K)/N E(K) → K ∗ /(K ∗ )N : (P1 , P2 ) 7→ tN (P1 , P2 )
which can be computed as follows. Consider a Miller function fN,P1 , i.e., a func-
tion on E with divisor N (P1 ) − N (OE ). Let D be a K-rational divisor on E
that is linearly equivalent with (P2 ) − (OE ) and whose support is disjoint from
{P1 , OE }. Then tN (P1 , P2 ) = fN,P1 (D). If P1 6= P2 and the Miller function is
normalized, i.e., the leading coefficient of its expansion around OE with respect
to the uniformizer x/y equals 1 (we are assuming that E is in Weierstrass form),
then one can simply compute tN (P1 , P2 ) as fN,P1 (P2 ).
For certain instances of K, the Tate pairing is known to be non-degenerate,
meaning that for each P1 ∈ E(K)[N ] \ {OE } there exists a P2 ∈ E(K)/N E(K)
such that tN (P1 , P2 ) 6= 1, and vice versa. Most notably, this is true if K = Fq
is a finite field containing a primitive N th root of unity ζN [15], i.e., for which
N | q − 1.
7
Another important feature is that the Tate pairing is compatible with iso-
genies, in the following sense: if ϕ : E → E 0 is an isogeny over K then the rule
tN (ϕ(P1 ), P20 ) = tN (P1 , ϕ̂(P20 )) applies. In particular we have
tN (ϕ(P1 ), ϕ(P2 )) = tN (P1 , P2 )deg(ϕ)
for all P1 ∈ E(K)[N ] and P2 ∈ E(K)/N E(K). For a proof of this compatibility
we refer to [4, Thm. IX.9], which assumes ζN ∈ K, but this condition can be
discarded (it is not used in the proof).
2.5 Simple radical extensions

Following [12], we say that a field extension K ⊂ L is simple radical of degree
N ≥ 2 if there exists an α ∈ L such that (i) L = K(α), (ii) ρ := αN ∈ K, and
(iii) xN − ρ ∈ K[x] is irreducible. Property (iii) can be verified easily using the
following theorem.
Theorem 4. Let K be a field, consider an integer N ≥ 2, and let ρ ∈ K ∗ .

Assume that for all primes m | N we have ρ ∈/ K m . If 4 | N , assume moreover
/ −4K 4 . Then the polynomial xN − ρ ∈ K[x] is irreducible.
that ρ ∈
Proof. See [17, Thm. VI.9.1].

√ √
We will usually write L = K( ρ ), although it should be noted that ρ
N N
i
is only well-defined up to multiplication by ζN for some i ∈ {0, 1, . . . , N − 1}.
√
Apart from this subtlety, we note that the field K( N ρ ) does not change if we
multiply ρ with the N th power of an element of K ∗ , or if we raise ρ to some
power that is coprime with N .
Remark 1. If K ⊂ L is simple radical of degree N and if char K - N , then the

Galois closure of L over K is obtained by adjoining a primitive N th root of unity
ζN , and
Gal(L(ζN )/K) = Gal(L(ζN )/K(ζN )) o Gal(L(ζN )/L)
where the first factor is cyclic of order N . In particular, if ζN ∈ L then L is
Galois over K with cyclic Galois group. Kummer theory provides a converse
statement [24, Lem. 9.13.1].
2.6 CSIDH
We briefly review the CSIDH key agreement protocol, which is our main applic-
ation of radical isogenies. Let Fp be a large finite field with p = c`1 `2 · · · `r − 1,
where the ì are small distinct primes and where c is some small cofactor. Alice
√ √
and Bob agree on an order O ⊂ Q( −p) containing Z[ −p], and they con-
sider the set E``p (O) = E``p (O, 0) of elliptic curves E/Fp whose endomorphism
ring EndFp E is isomorphic to O. Such curves are necessarily supersingular, and
without loss of generality it can be assumed that the isomorphism EndFp E ∼ =O
√
identifies the Frobenius endomorphism πp on E with −p.
8
To any E ∈ E``p (O) and any invertible ideal a ⊂ O one can, using the above
isomorphism, associate the finite subgroup
\
E[a] = ker α ⊂ E.
α∈a
It turns out that the isogenous curve E/E[a] is again contained in E``p (O) and
that it depends on the class [a] of a only; furthermore, this defines a free and
transitive action of the ideal-class group cl(O) on E``p (O). The key agreement
then works as follows: Alice and Bob agree on a starting curve E ∈ E``p (O),
then both sample a secret ideal-class [a] resp. [b], compute the isogenous curves
E/E[a] resp. E/E[b], and exchange the outcomes. Both parties can now compute
E/E[ab] by acting with their own secret ideal-class on the other party’s curve.
In order for this to be practical, Alice and Bob should sample a, b as products
√
of ideals of the form (ì , −p − 1)ei , whose action corresponds to a chain of
|ei | easy-to-compute ì -isogenies; this is also true if ei < 0, in which case one
√
considers the equivalent ideal (ì , −p + 1)|ei | . The prime ì = 2 requires special
treatment: it should be skipped unless p ≡ 7 mod 8 and O is the maximal order,
√ √
in which case one considers (2, ( −p − 1)/2) resp. (2, ( −p + 1)/2) instead of
√ √
the principal ideals (2, −p − 1), (2, −p + 1).
3 Existence of radical isogeny formulae

In this section we prove the existence of radical isogeny formulae, without de-
riving these formulae explicitly. The explicit derivation for small N , including
the cases N = 2, 3, is given in the next section. As such, we assume N ≥ 4 and
consider the ‘universal’ Tate normal curve
E : y 2 + (1 − c)xy − by = x3 − bx2
over the field
Q[b, c]
QN (b, c) := Frac ,
(FN (b, c))
so that the base point P = (0, 0) has order N . Note that QN (b, c) is simply
the function field of X1 (N ) over Q. Let ϕ : E → E 0 be the isogeny with kernel
hP i; for concreteness it can be assumed that the codomain curve E 0 is given by
equation (2) provided by Vélu’s formulae, although this is not needed for what
follows.
Recall that we are interested in those points P 0 ∈ E 0 for which the composi-
tion
ϕ
E → E 0 → E 0 /hP 0 i
is a cyclic N 2 -isogeny. It is easy to check that these points are characterized by
the condition
ϕ̂(P 0 ) = λP for some λ ∈ (Z/N )∗ , (5)
with ϕ̂ : E 0 → E the dual of ϕ. In particular, there are N φ(N ) such points,
generating N distinct subgroups of E 0 , where φ denotes Euler’s totient function.
9
The points corresponding to λ = 1 will be called P -distinguished; they can be
viewed as a set of canonical generators for these subgroups.
Define
ρ := fN,P (−P ) (6)
where the Miller function fN,P on E is assumed to be normalized, so that ρ
is just tN (P, −P ) when considered modulo N th powers in QN (b, c)∗ . The main
result of this section is:
Theorem 5. Let P 0 ∈ E 0 be a point satisfying (5). Then the field extension

QN (b, c) ⊂ QN (b, c)(P 0 ), obtained by adjoining the coordinates of P 0 , is simple
√
radical of degree N . More precisely, QN (b, c)(P 0 ) = QN (b, c)( N ρ ) for an appro-
√
priately chosen N th root ρ of ρ = fN,P (−P ).
N
Proof. The fibre ϕ̂−1 {λP } decomposes as a union of orbits under the action
of the absolute Galois group of QN (b, c), together containing N elements. One
of these orbits contains P 0 . Its number of elements equals the degree of the
corresponding closed point, which in turn equals the degree of the extension
QN (b, c) ⊂ QN (b, c)(P 0 ). In particular, this extension has degree at most N . On
√
the other hand, by Lemma 6 below, the extension QN (b, c) ⊂ QN (b, c)( N ρ ) is
of degree precisely N . Therefore, it suffices to prove that QN (b, c)(P ) contains
0
an N th root of ρ.
To this end we consider α := fN,P 0 (−P 0 ) ∈ QN (b, c)(P 0 ), where the Miller
function fN,P 0 is again assumed normalized, and we let µ be such that λ2 µ ≡
1 mod N . Modulo N th powers in QN (b, c)(P 0 )∗ we have
(αµ )N = tN (P 0 , −P 0 )N µ = tN (ϕ̂(P 0 ), −ϕ̂(P 0 ))µ

2
= tN (λP, −λP )µ = tN (P, −P )λ µ
= ρ,
showing that ρ is indeed the N th power of some element of QN (b, c)(P 0 ).
Lemma 6. The polynomial x − ρ ∈ QN (b, c)[x] is irreducible.

N
Proof. According to Theorem 4 it suffices to prove:
(i) for all primes m | N we have ρ ∈ / QN (b, c)m ,

/ −4QN (b, c)4 .
(ii) if 4 | N then ρ ∈
√
Let p ≡ 1 mod 2N be a prime number such that 4 p > N 2 . Then the Hasse
√ √
interval [p+1−2 p, p+1+2 p] contains the integers λN for N consecutive values
of λ. At least one of these values satisfies gcd(λ, N ) = 1. By [27, Thm. 2.4.31]
there exists an elliptic curve E/Fp such that E(Fp ) ∼= Z/(λN ), so in particular
E(Fp )[N ∞ ] ∼
= Z/(N ). Without loss of generality we can assume that E is in
Tate normal form, say with coefficients b, c ∈ Fp , and that P = (0, 0) is a point
of order N on E.
Then, in order to prove (i), assume that ρ ∈ QN (b, c)m for some prime divisor
m | N . Since Miller functions are compatible with reduction mod p and with
10
specialization at b, c ∈ Fp (this follows, for instance, from Miller’s algorithm),
we find that
tN (P , [−N/m]P ) = tN (P , −P )N/m = 1,
in turn implying that tN (Q, [−N/m]P ) = 1 for all Q ∈ E(Fp )[N ]. This contra-
dicts the non-degeneracy of the Tate pairing over Fp (which contains all N th
roots of unity by our choice of p). Indeed, [−N/m]P is a non-trivial element of
E(Fp )/N E(Fp ).
As for (ii): if 4 | N then p ≡ 1 mod 8, from which it follows that −1 and
4 are 4th powers in Fp , in particular the same holds for −4. As above, if ρ ∈
−4QN (b, c)4 then we can conclude that
tN (P , [−N/4]P ) = tN (P , −P )N/4 = 1,
again contradicting the non-degeneracy of the Tate pairing.
0
An immediate consequence of Theorem 5 is that for each point P = (x00 , y00 )
satisfying (5) there exist concrete algebraic formulae
√ √
x00 (b, c, N ρ ), y00 (b, c, N ρ ) (7)
for its coordinates: these are the radical isogeny formulae we are after. Note that,
in order to find these formulae explicitly, it suffices to consider the cases where P 0
is P -distinguished, i.e., where λ = 1. Indeed, all other cases are then dealt with by
feeding these formulae to the multiplication-by-λ map from (3). Experimentally,
it seems that the P -distinguished case yields the simplest formulae.
Remark 2. Our choice of radicand ρ = fN,P (−P ) is somewhat arbitrary: any
representant of tN (P, µP ) for any µ ∈ (Z/N )∗ would have worked equally well,
with the same proofs. This reflects the fact that scaling ρ by N th powers, or
raising ρ to an exponent that is coprime with N , results in the same simple
radical extension.
Given the coordinates of a P -distinguished point P 0 , all other P -distinguished
√
points are found by varying the choice of N ρ :
Lemma 7. Let λ ∈ (Z/N )∗ and consider formulae of the form (7) expressing
the coordinates of a point P 0 such that ϕ̂(P 0 ) = λP . Then, by varying the choice
√ i
of the N th root N ρ , i.e., by scaling it with ζN for i = 0, 1, . . . , N − 1, these
formulae compute the coordinates of all points P 0 for which ϕ̂(P 0 ) = λP .
Proof. From the proof of Theorem 5 it follows that ϕ̂−1 {λP } consists of a single
Galois orbit, which implies our claim.
For the applications we have in mind, we want to interpret the formulae (7)
in some concrete field K, with the indeterminates b, c replaced by concrete ele-
ments b, c ∈ K. It follows from general principles in algebraic geometry that
these specialized formulae continue to produce the coordinates of a point P 0
defining a cyclic N 2 -isogeny, with the possible exception of finitely many field
characteristics p > 0 and finitely many (b, c) ∈ K 2 . Loosely based on good
reduction arguments from the theory of modular curves, we actually believe:
11
Conjecture 1. The formulae (7) are compatible with specialization to all fields
K satisfying char K - N and to all elements b, c ∈ K satisfying FN (b, c) = 0,
∆(b, c) 6= 0 and Fm (b, c) 6= 0 for all 4 ≤ m < N (in other words, to all b, c for
which y 2 + (1 − c)xy − bx = x3 − bx2 is an elliptic curve on which P = (0, 0) has
exact order N ).
It is easy to confirm this conjecture for small values of N , by explicitly
factoring the N -division polynomial of E 0 : this is the approach followed in the
next section, leading to explicit expressions for the formulae (7). In particular,
the above conjecture does not affect any of our conclusions in Sections 5 and 6,
which are based on radical N -isogenies for these small values of N only. But
from a purely mathematical point of view, we leave the validity of Conjecture 1
as an interesting open question.
We conclude by recalling that by rewriting (E 0 , P 0 ) in Tate normal form, one
obtains a curve equation
y 2 + (1 − c0 )xy − b0 x = x3 − b0 x2
where now
√ √
b0 (b, c, N ρ ), c0 (b, c, N ρ ) (8)
√
are certain algebraic expressions in b, c, N ρ . The formulae (8) can be applied
iteratively, effectively allowing to compute a cyclic N k -isogeny for arbitrary k
without needing to explicitly generate points of order N in each step.
4 Explicit radical isogeny formulae in low degree

In this section, we explain how to find concrete formulae of the forms (7) and (8)
for small values of N , by factoring the reduced N -division polynomial of E 0 with
the help of Magma [5]. As a by-product, we get a confirmation of Conjecture 1
in these cases. In particular, throughout this section, we work over an arbitrary
field K with char K - N .
We first deal with the cases N = 2, 3, which require to use a different curve
model. We note however that the same principles, in particular using the Tate
pairing, also applies in these cases.
Case N = 2. Since char K 6= 2, we can assume that E : y 2 = x3 + a2 x2 + a4 x

for a2 , a4 ∈ K and P = (0, 0). A simple calculation shows that the isogenous
curve E/hP i can be given by
E 0 : y 2 = x3 − 2a2 x2 + (a22 − 4a4 )x .
The dual isogeny corresponds to quotienting out (0, 0) on E 0 , so any other point
of order 2 on E 0 is a suitable instance of P 0 ; note that it is automatically P -
√
distinguished. If we define ρ = a4 and α = ρ, then these points are of the
form
P 0 = (a2 + 2α, 0) ,
12
and by translating P 0 to (0, 0), we find the isomorphic model E 0 : y 2 = x3 +
a02 x2 + a04 x, where
a02 = 6α + a2 and a04 = 4a2 α + 8a4 . (9)
We are now ready to repeat the whole process, since we can divide out by (0, 0)
again.
Remark 3. We cannot use f2,P (−P ) as an instance of ρ in this case, since
P = −P . Nevertheless, the reader can check that ρ = a4 is a representant
of t2 (P, −P ).
Case N = 3. By requiring that the inflexion point P = (0, 0) has a horizontal

tangent line, we can assume that E : y 2 + a1 xy + a3 y = x3 for certain a1 , a3 ∈ K.
Vélu’s formulae yield
E 0 : y 2 + a1 xy + a3 y = x3 − 5a1 a3 x − a31 a3 − 7a23
as a defining equation for E/hP i. The 3-division polynomial of E 0 splits as
ΨE 0 ,3 (x) = 3(x + a21 /3)(x3 − 9a1 a3 x − a31 a3 − 27a23 ),
and one checks through explicit computation that the linear factor is the kernel
polynomial of the dual isogeny. Therefore, any root of the cubic factor is the
x-coordinate of a P -distinguished point P 0 . Letting ρ = f3,P (−P ) = −a3 and
√
writing α = 3 ρ, this cubic factor splits as
(x + a1 α − 3α2 )(x2 + (−a1 α + 3α2 )x + a21 α2 − 3a1 a3 − 9a3 α)

(note that it splits completely over K(ζ3 ) in view of Remark 1 and/or Lemma 7).
Thus we can take x00 = −a1 α + 3α2 and then one checks that y00 = 4a3 is the y-
coordinate of the corresponding P -distinguished point P 0 = (x00 , y00 ). Translating
P 0 to (0, 0) yields a model
E 0 : y 2 + a01 xy + a03 y = x3 ,
with a01 = −6α + a1 and a03 = 3a1 α2 − a21 α + 9a3 , and we can repeat. We recall
that the simple radical nature of iterated 3-isogenies is not a new observation,
see [6].
Case N = 4. For N ≥ 4 we switch to the Tate normal form as in Section 3.

Concretely, for N = 4 we have F4 (b, c) = c = 0 so we obtain the defining equation
E : y 2 + xy − by = x3 − bx2 . From Vélu’s formulae we find
E 0 : y 2 + xy − by = x3 − bx2 + (−5b2 + 5b)x + (−3b3 − 12b2 + b)
as a defining equation for E/hP i, with reduced 4-division polynomial
ψE 0 ,4 (x) = 2 · (x + b + 1/2) · (x − 7b) · (x4 + 4bx3 + (6b2 + 24b)x2
+ (4b3 − 80b2 + 8b)x + b4 + 152b3 − 8b2 + b).
13
The first linear factor corresponds to the x-coordinate of a generator of the
dual isogeny. The second linear factor corresponds to the x-coordinate of a 4-
torsion point Q such that 2Q is in the kernel of the dual isogeny. Any root
of the quartic factor is the x-coordinate of a P -distinguished point P 0 . Letting
√
ρ = f4,P (−P ) = −b and writing α = 4 ρ, one can verify that
P 0 = (4α3 + 2α2 + α − b, 2α3 + α2 − 8bα − 7b)
is such a P -distinguished point. Translating P 0 to (0, 0) we find an isomorphic

model of E 0 given by
E 0 : y 2 + xy − b0 y = x3 − b0 x2 , (10)
with
α(4α2 + 1)
b0 = −
(2α + 1)4
This formula can be applied iteratively.
Case N = 5. For N = 5 we have F5 (b, c) = b − c = 0, so we obtain the defining

equation E : y 2 + (1 − b)xy − by = x3 − bx2 . Vélu’s formulae yield
E 0 : y 2 + (1 − b)xy − by = x3 − bx2 − 5b(b2 + 2b − 1)x − b(b4 + 10b3 − 5b2 + 15b − 1)
as a defining equation for the codomain of ϕ : E → E/hP i. The 5-division

polynomial of E 0 can be verified to split as
ΨE 0 ,5 (x) = 5 · (x2 + (b2 − b + 1)x + (b4 + 3b3 − 26b2 − 8b + 1)/5)

· (x5 + 10bx4 − 5b(b2 + b − 11)x3 − 5b(17b3 + 24b2 + 46b − 7)x2
− 5b(b5 + 62b4 + 154b3 − 65b2 + 19b − 2)x
− b(b7 − 19b6 + 777b5 − 757b4 + 755b3 + 2b2 + 17b − 1))
· (x − 15bx4 − 5b(11b2 − 9b − 1)x3 − 5b2 (7b3 + 13b2 − 13b + 20)x2
5
− 5b2 (2b5 + 5b4 + 6b3 + 196b2 − 99b + 1)x

− b2 (b7 + 7b6 − 62b5 + 605b4 − 127b3 + 1177b2 + 14b + 1))
where the quadratic polynomial factor is the kernel polynomial of the dual
isogeny. The roots of the first quintic factor are the x-coordinates of the P -
distinguished points. Those of the second quintic factor are the x-coordinates
of the points P 0 for which ϕ̂(P 0 ) = 2P (i.e., the doubles of the P -distinguished
√
points). Concretely, letting ρ = f5,P (−P ) = b and writing α = 5 ρ, the first
quintic factor admits the root
x00 = 5α4 + (b − 3)α3 + (b + 2)α2 + (2b − 1)α − 2b
14
(with all other roots obtained by scaling α with powers of ζ5 ) and then one can
check that
y00 = 5α4 + (b − 3)α3 + (b2 − 10b + 1)α2 + (13b − b2 )α − b2 − 11b
is the y-coordinate of the corresponding P -distinguished point P 0 . Translating

P 0 to (0, 0), we obtain the isomorphic form
E 0 : y 2 + (1 − b0 )xy − b0 y = x3 − b0 x2 ,
where
α4 + 3α3 + 4α2 + 2α + 1
b0 = α
α4 − 2α3 + 4α2 − 3α + 1
and again we can repeat.
Case N = 6. For N = 6 we have F6 (b, c) = c2 + c − b = 0, so we work with

E : y 2 + (1 − c)xy − (c2 + c)y = x3 − (c2 + c)x2 . Vélu’s formulae yield
y 2 + (1 − c)xy − (c2 + c)y = x3 − (c2 + c)x2

− (15c4 + 20c3 + 5c2 − 5c)x − (19c6 + 33c5 + 18c4 + 22c3 + 14c2 − c)
as a model for E 0 = E/hP i. Its reduced 6-division polynomial ψE 0 ,6 (x) behaves

much like in the degree 4 case: there is a unique interesting factor
x6 + 6c(2c + 3)x5 + 3c(20c3 + 33c2 + 55c + 37)x4
+ 4c(40c5 + 18c4 − 237c3 − 301c2 − 63c + 28)x3 +
+ 3c(80c7 − 168c6 − 1029c5 − 1028c4 − 333c3 − 202c2 − 93c + 18)x2
+ 6c(32c9 − 192c8 + 718c7 + 3131c6 + 3186c5 + 847c4 − 196c3 − 69c2 − 22c + 2)x
+ c(64c11 − 720c10 + 10740c9 + 38500c8 + 46773c7 + 31142c6 +
17983c5 + 7506c4 + 901c3 + 13c2 − 18c + 1)
whose roots are the x-coordinates of the P -distinguished points P 0 ∈ E 0 . Letting

√
ρ = f6,P (−P ) = −b2 /c = −c(c + 1)2 and writing α = 6 ρ, one checks that
6 4
x00 = α5 + α4 + 3α3 + 2α2 − (3c − 1)α − 2c2 − 3c
c+1 c+1
is such a root; all other roots are found by scaling α with some power of ζ6 . One
then verifies that
3c + 9 5 2c + 6 4
y00 = α + α −(12c−3)α3 −(17c−1)α2 −(15c2 +19c)α−c3 −18c2 −16c
c+1 c+1
is the y-coordinate of the corresponding P -distinguished point P 0 . When writing
(E 0 , P 0 ) in Tate normal form, we find
E 0 : y 2 + (1 − c0 )xy − (c02 + c0 )y = x3 − (c02 + c0 )x2
15
with
1
c0 = (729c3 + 243c2 + 243c − 39)α5 − (108c2 + 216c − 20)α4
(c + 1)(9c + 1)3
− (729c4 + 729c3 + 81c2 − 165c + 10)α3 + (108c3 − 36c2 − 140c + 4)α2

+ (729c5 + 1215c4 + 486c3 + 114c2 + 113c − 1)α − 108c4 − 36c3 − 4c2 − 76c .
Once again, this formula can be applied iteratively.
Radical isogenies of degree N ≥ 7. A similar reasoning can be made for

N ≥ 7, but a direct factorization of the reduced N -division polynomial of E 0
√
over QN (b, c)( N ρ ) quickly becomes unwieldy, for several reasons: the coefficients
0
of E become more involved, the degree of ψE 0 ,N grows quadratically, and both
ρ and the base field QN (b, c) become increasingly complicated, see Table 1. For
instance, from N = 7 onwards it is no longer possible to eliminate one of the
variables b, c using the relation FN (b, c) = 0. As long as the modular curve X1 (N )
has genus 0, it is possible to get around this by using a different parametrization,
see Table 2, but for N = 11 and N ≥ 13 this is no longer the case.
An approach that already works much better is to use number fields, i.e.
assign a large enough integer value to b, construct the number field defined by
√
FN (b, c) = 0 and the degree N extension by adjoining N ρ . The root of ψE 0 ,N (x)
√
is an expression in c and ρ with rational coefficients. We know that each such
N
coefficient is a rational function in b, so if b is large enough, this function can

be found using lattice reduction. The most effective method is similar to the
previous method, but uses p-adic fields instead of number fields. Again we need
to choose a “large enough” value for b and a large enough precision with which
we represent the p-adic field, to be able to reconstruct the rational function in
b. We followed this approach for N = 13, since Magma struggles to find the
formulae using direct root finding. All formulae for N = 2, . . . , 13 can be found
online at https://github.com/KULeuven-COSIC/Radical-Isogenies.
5 Isogeny chains over finite fields
In this section we use our iterable radical isogeny formulae of the form (8) to
compute chains of N -isogenies between elliptic curves over finite fields Fq with
char Fq - N ; the application to CSIDH is given in Section 6. Here we just con-
centrate on the computation of long chains of N -isogenies for some fixed N ≥ 2,
and address the following two issues. Firstly, the radicand ρ might not admit an
N th root over Fq : in the worst case, this could mean that at every iteration we
need to replace the base field with a degree N extension. Secondly, over Fq there
√
are N choices for N ρ , hence the question arises which root to take if we want
to navigate the N -isogeny graph in a controlled way. We discuss three special
cases given by gcd(q − 1, N ) = 1, gcd(q − 1, N ) = N and gcd(q − 1, N ) = 2.
16
N Polynomial relation FN (b, c) = 0 Radicand ρ = fN,P (−P )
4 c=0 −b
5 c−b=0 b
6 c2 + c − b = 0 −b2 /c
7 c3 + cb − b2 = 0 b3 /c2
2 2 2 3
8 c b − c + 3cb − 2b = 0 −b /(b − c)
9 c5 + c4 − c3 b + c3 − 3c2 b + 3cb2 − b3 = 0 b3 c2 /(b − c)2
c5 + c4 b + 3c3 b − 3c2 b2
10 −b3 c/(c2 + c − b)
+ c2 b − 2cb2 + b3 = 0
c7 b + 3c6 b − c6 − 3c5 b2 + 6c5 b − 9c4 b2
11 b3 (b − c)2 /(c2 + c − b)2
+ 4c3 b3 + c3 b2 − 3c2 b3 + 3cb4 − b5 = 0
c6 + c4 b + c4 − 5c3 b − c2 b3
12 −b4 (b − c)/(b2 − bc − c3 )
+ 10c2 b2 − 9cb3 + 3b4 = 0
c10 − c9 b2 − 6c8 b2 + 6c8 b + 5c7 b3 − 21c7 b2
+ 3c7 b + 24c6 b3 − 13c6 b2 + c6 b − 9c5 b4
13 b5 (c2 + c − b)2 /(b2 − bc − c3 )2
+ 21c5 b3 − 6c5 b2 − 15c4 b4 + 15c4 b3 + 4c3 b5
− 20c3 b4 + 15c2 b5 − 6cb6 + b7 = 0
Table 1: Relations FN (b, c) = 0 and radicands ρ for small N ≥ 4
N r s Modular equation Radicand ρ

6 A 1 – −r2 (A − 1)
7 A A – r4 (A − 1)
8 1
2−A
A – −(r2 s)2 (A − 1)
2
9 A −A+1 A – r3 s4 (A − 1)
−A2
10 A2 −3A+1
A – −r5 s9 (A − 1)(2A − 1)2
B 2 + (A2 + 1)B
11 AB + 1 1−A A(rsB)3
+A = 0
2A2 −2A+1 3A2 −3A+1
12 A A2
– r4 s3 A11 (A − 1)(2A − 1)2
B 2 + (A3 + A2 + 1)B
13 1 − AB 1− AB
B+1
−r5 B(sA)3
−A2 − A = 0
Table 2: Modular equations and radicands for low degree isogenies. The paramet-
ers r and s are optimised representations of curves with a prescribed N -torsion
point from [26]. The transformations b = rs(r − 1) and c = s(r − 1) can be
used to obtain the Tate normal form E : y 2 + (1 − c)xy − by = x3 − bx2 , where
P = (0, 0) is a point of order N expressed by the modular equation.
17
5.1 The case gcd(q − 1, N ) = 1
The most straightforward case is gcd(q − 1, N ) = 1, where there is a very natural

√
choice for N ρ . Indeed, in this case the map Fq → Fq : a 7→ aN is a bijection,
so if the starting curve E : y 2 + (1 − c)xy − by = x3 − bx2 is defined over Fq ,
then so is ρ(b, c) and it admits a unique N th root which is again defined over
√
Fq . Choosing this instance of N ρ results in new coefficients b0 , c0 ∈ Fq and the
argument repeats. Moreover, the N th root can be computed as ρµ where µ is
such that µN ≡ 1 mod (q − 1). Thus, the condition gcd(q − 1, N ) naturally pulls
out a chain of N -isogenies whose cost, at least for small N , is dominated by a
single Fq -exponentiation at each step.
Lemma 8. Assume that char Fq - N and gcd(q − 1, N ) = 1, then EndFq E is

an imaginary quadratic order which is locally maximal at all primes dividing N ,
and our chain of N -isogenies corresponds to the repeated action of the ideal class
[(N, πq − 1)].
Proof. Observe that
ker([N ]) ∩ ker(πq − 1) = E(Fq )[N ] = hP i ,
where the last equality follows from gcd(q − 1, N ) = 1 along with the fact that
P = (0, 0) is an Fq -rational point of order N . These properties also imply that
gcd(t2 − 4q, N ) = gcd((q + 1 − |E(Fq )|)2 − 4q, N ) = gcd((q − 1)2 , N ) = 1
with t the trace of Frobenius, showing that EndFq E is indeed an imaginary

quadratic order which is locally maximal at all primes dividing N ; see [29, §4].
Thus the isogeny E → E 0 = E/hP i is the horizontal isogeny corresponding to
the invertible ideal (N, πq − 1) ⊂ EndFq E. Since such isogenies do not change
the structure of E(Fq ), and since choosing the unique Fq -rational N th root of ρ
clearly produces an Fq -rational point of order N , the reasoning can be repeated
and the lemma follows.
Estimating the rough cost of an exponentiation as 1.5 log q multiplications in

Fq , our method should be compared with:
(i) generating an Fq -rational N -torsion point and applying (some form of)
Vélu’s formulae; the main cost in this approach is the generation of the
N -torsion point, which consists of generating a random point and multiply-
ing by the cofactor #E(Fq )/N , taking roughly 11 log q multiplications in Fq ;
furthermore this procedure has to be repeated with probability 1/N , which
is non-negligible for small N ,
(ii) finding an Fq -rational root of ΦN (x, j(E)), with ΦN the classical modular
polynomial of level N ; this roughly amounts to computing xq modulo the
polynomial ΦN (x, j(E)), whose degree is at least N + 1, so we estimate this
cost as 1.5(N + 1)2 log q multiplications in Fq .
18
However, for growing N it becomes unfair to measure the cost of a radical
isogeny by merely an exponentiation in Fq : the algebraic expressions for b0 and c0
√
in terms of b, c, N ρ become increasingly complicated, and the cost of evaluating
these expressions quickly overtakes the cost of the exponentiation as shown in
Table 3. We also remark that the majority of the multiplications are with small
constants coming from the explicit formulae as illustrated in Section 4. The size
of these constants also grows with N , e.g. for N = 13 the constants have a size
of up to 14 bits.
Computational cost Relative cost of formulae evaluation

3-isogeny E + 6M + 3A 2.2 %
4-isogeny E + 4M + 3A + I 3.9 %
5-isogeny E + 7M + 6A + I 4.8%
7-isogeny E + 24M + 20A + I 10.1%
9-isogeny E + 69M + 58A + I 20.5%
11-isogeny E + 599M + 610A + I 67.7%
13-isogeny E + 783M + 776A + I 71.9%
Table 3: The computational cost of radical N -isogenies over a finite field Fq .

The letters E, M, A and I denote exponentiation, multiplication, addition and
inversion respectively. The last column expresses the cost of the multiplications,
additions and inversions, relative to the total cost. The percentages are computed
from the evaluation of a chain of 10 000 horizontal N -isogenies over Fp , where p
is the CSURF-512 prime from [7].
A similar overhead is present in approach (ii) using modular polynomials

(where moreover one is left with the task of determining the correct twist),
which seems consistently outperformed by our radical isogeny formulae. As for
the basic approach (i) using Vélu’s formulae, it is shown in Table 4 that for
small N , radical isogenies are up to 50 times faster, the main reason being that
radical isogenies can be chained without explicitly generating a new N -torsion
point on each curve. From N ≈ 15 onwards, the overhead becomes so large that
radical isogenies become less efficient.
5.2 The case gcd(q − 1, N ) = N

At the other extreme, if N | q − 1 then Fq contains a primitive N th root of unity
√
ζN . As a consequence, if ρ ∈ F∗q admits an N th root N ρ ∈ Fq , then all N th
roots are defined over Fq . But the probability that a random ρ ∈ F∗q admits an
N th root in Fq is 1/N only, so one would expect that the base field needs to be
extended at most steps of the iteration.
The situation is much better in the following special case: let q = p2 for some
prime p ≡ −1 mod N , so that indeed N | q − 1, and let E/Fq be a supersingular
elliptic curve, say with |E(Fq )| = (p + 1)2 . Such curves are used in the CGL
19
Sampling Isogenous Image Modular Radical
N -torsion curve Vélu of a point polynomial isogeny
3-isogeny 50,449,710 38,513 18,860 9,939,840 1,071,612
4-isogeny? 63,693,051 45,093 45,004 29,628,400 1,101,677
5-isogeny 41,519,930 140,968 33,453 19,943,602 1,086,011
7-isogeny 39,049,435 247,526 47,734 34,049,452 1,192,454
9-isogeny 47,994,892 319,695 70,899 76,299,055 1,304,341
11-isogeny 36,755,529 448,043 75,995 76,435,364 3,161,470
13-isogeny 36,252,253 548,833 90,168 147,552,105 3,626,544
Table 4: Clock cycles (using Magma v2.32-2 on an Intel(R) Xeon(R) CPU E5-
2630 v2 @ 2.60GHz with 128 GB memory) for an individual step in a horizontal
N -isogeny chain, basic Vélu approach vs. (unique) root of the modular polyno-
mial vs. radical isogenies averaged over a chain of 10 000 N -isogenies over the
finite field Fp , where p is the CSURF-512 prime from [7]. The probability of
failure to sample an N -torsion point for composite N is larger than 1/N , and
the degree of the modular polynomial scales faster for composite numbers, which
explain the results for N = 4, 9 for the first two methods. ? The clock cycles
for 4-isogenies for the first two methods are obtained from random 4-isogenies
instead of exclusively horizontal ones. Every curve has three 4-isogenous elliptic
curves and identifying the correct one would require an additional square-check
(see Section 5.3).
hash function and in SIDH, but since these rely exclusively on 2 and 3 isogenies
which are already heavily optimized, we do not expect any real improvement for
these applications. On these curves we have πq = [−p], from which it follows
that E[N ] ⊂ E(Fq ). Let P ∈ E be any point of order N , then we claim that
ρ = fN,P (−P ) ∈ F∗q is an N th power, i.e. tN (P, −P ) = 1.
To see this, note that the codomain of ϕ : E → E 0 = E/hP i again sat-
isfies |E 0 (Fq )| = (p + 1)2 and therefore E 0 [N ] ⊂ E 0 (Fq ). In particular, any
P -distinguished point P 0 takes coordinates in Fq and we conclude
tN (P, −P ) = tN (ϕ̂(P 0 ), −ϕ̂(P 0 )) = tN (P 0 , −P 0 )N = 1 .
The argument of course repeats, so in this case one can keep applying our radical
isogeny formulae, choosing an N th root of ρ at each iteration, without ever
leaving Fq . A performance comparison with the modular polynomial method (ii)
from the previous section can be found in Table 5.
5.3 The case gcd(q − 1, N ) = 2

An interesting intermediate case is gcd(q − 1, N ) = 2, where an element ρ ∈ F∗q
is an N th power if and only if it is a square. If it is, then it has exactly two
√
N th roots ± N ρ . If q ≡ 3 mod 4 then one of these N th roots is a square and
one of them is not; they can be computed as ρµ resp. −ρµ , where µ is such that
µN ≡ 1 mod (q − 1)/2.
20
Modular Radical
polynomial isogeny
3-isogeny 397,463,526 7,376,366
4-isogeny 705,256,757 29,128,205
5-isogeny 1,020,128,985 8,988,513
7-isogeny 1,889,168,090 8,973,325
9-isogeny 2,795,301,745 24,966,750
11-isogeny 3,827,699,588 12,707,001
13-isogeny 5,533,476,662 14,563,945
Table 5: Clock cycles (using Magma v2.32-2 on an Intel(R) Xeon(R) CPU E5-
2630 v2 @ 2.60GHz with 128 GB memory) for an individual step in an N -isogeny
chain, roots of the modular polynomial vs. radical isogenies averaged over a chain
of 1 000 N -isogenies over finite fields Fp2 . The prime p = 2512 + was chosen
per N -isogeny such that p ≡ −1 mod N and such that p ≡ 3 mod 4, so that we
could start from E : y 2 = x3 + x; concretely, for N = 3, 4, 5, 7, 9, 11, 13 we took
= 727, 75, 2743, 7471, 1147, 29607, 1147 respectively.
For N = 2, it was observed in [7] that this distinction allows for a controlled
navigation of the 2-isogeny graph of supersingular elliptic curves E over a finite
prime field Fp with p ≡ 7 mod 8. Concretely, such curves come in two types:
√
curves on ‘the floor’ have endomorphism ring Z[ −p] and admit a unique Fp -
rational point of order 2, while curves on ‘the surface’ have endomorphism ring
√
Z[(1 + −p)/2] and have three distinguished Fp -rational points of order 2:
– P − , whose halves have x-coordinates that are not defined over Fp ,

– P1+ , whose halves are not defined over Fp , but their x-coordinates are,
– P2+ , whose halves are defined over Fp
(see Figure 1). Quotienting out P − takes us from the surface to the floor, while
quotienting out P1+ and P2+ amounts to traveling along the surface, using the
√
horizontal isogenies corresponding to the respective ideals (2, ( −p + 1)/2),
√ √
(2, ( −p − 1)/2) of Z[(1 + −p)/2], see [7, Lem. 5].
Lemma 9. If the curve point pair (E, P1+ ) resp. (E, P2+ ) is in the form (E, P )
with
E : y 2 = x3 + a2 x2 + a4 x, P = (0, 0), a2 , a4 ∈ Fq
as in Section 4, then ρ = a4 is a square. Applying the iterative formulae (9)
√ √
corresponds to the repeated action of [(2, ( −p + 1)/2)] resp. [(2, ( −p − 1)/2)]
√ µ µ
if one consistently computes ρ as −ρ resp. ρ .
Proof. The fact that ρ = a4 is a square follows from the proof of [7, Lem. 3].
From [7, Lem. 4] it follows that selecting −ρµ resp. ρµ corresponds to selecting
P10+ resp. P20+ on E 0 , which implies the lemma. Note that the other square root
of ρ corresponds to P 0− in both cases, taking us to the floor.
21
h √ i
1+ −p
P1+ P2+ 0+
P10+ P2
Z 2
E 0
E
P− P 0−
√
Z[ −p]
Figure 1: A connected component of the 2-isogeny graph of supersingular elliptic

curves over Fp with p ≡ 7 mod 8, highlighting two elliptic curves on the surface
together with their three distinguished 2-torsion points and the corresponding
2-isogenies.
The first observation, namely that ρ is a square, generalizes to all N satisfying

gcd(p − 1, N ) = 2, where we continue to work over Fp with p ≡ 7 mod 8. More
precisely, consider a curve E on the surface, let us say in Tate normal form with
P = (0, 0) a point of order N ≥ 4. The cyclic N -isogeny ϕ : E → E 0 = E/hP i is
the composition of a horizontal N/2-isogeny, i.e. to another curve on the surface,
and either (i) a horizontal 2-isogeny or (ii) a vertical 2-isogeny. Then we claim
that we are in case (i) if and only if ρ is a square. To see this, note that we are in
case (i) if and only if there exists a point P 0 ∈ E(Fp ) such that the composition
of ϕ with E 0 → E 0 /hP 0 i is cyclic of degree N 2 . If ρ is a square then the existence
of such a point simply follows from our radical isogeny formulae (7). Conversely,
if there exists such a point P 0 then we necessarily have P = λϕ̂(P 0 ) for some
λ ∈ (Z/N )∗ , and it follows from
2
tN (P, −P ) = tN (λϕ̂(P 0 ), −λϕ̂(P 0 )) = tN (P 0 , −P 0 )N λ
that ρ is a square.
Unfortunately, it seems harder to generalize the second observation, but
based on experiments we conjecture the following statement for N = 4, in which
case we can take µ = (p + 1)/8:
Conjecture 2. Assume that N = 4 and that (E, P ) is in Tate normal form
y 2 + xy − by = x3 − bx2 , P = (0, 0), b ∈ Fp
as above. If the isogeny E → E/hP i is horizontal then ρ = −b is a square.

Moreover, applying the iterative formula (10) corresponds to the repeated action
√ √
of [(2, ( −p − 1)/2)]2 if one consistently computes α = 4 ρ as −ρµ resp. ρµ ,
depending on whether p ≡ 7 mod 16 resp. p ≡ 15 mod 16.
Note that we have just come to argue why ρ = −b is indeed a square. Also,
since P = (0, 0) ∈ E(Fp ), we necessarily have that 2P equals P2+ , the unique
point of order 2 whose halves are Fp -rational. As a result, since the isogeny
22
ϕ : E → E 0 = E/hP i is cyclic and horizontal, it necessarily corresponds to the
√
action of [(2, ( −p − 1)/2)]2 . Therefore, the main open problem in proving the
conjecture is the last claim. So far, we did not succeed in giving a proof, nor did
we manage to generalize its statement to larger values of N .
6 Speeding up CSIDH
Recall from Section 2.6 that the core operation in CSIDH is computing a com-
position of many horizontal isogenies, which for odd ì correspond to ideals of
√ √
the form (ì , −p + 1) or (ì , −p + 1). The exact composition that needs to
be computed can be specified as an exponent vector [e1 , . . . , er ], where each
ei ∈ [−Bi , Bi ] indicates how many horizontal isogenies of degree ì have to be
computed. In practice often Bi = B for all i, where B is some fixed small value
such that (2B + 1)r > 22λ , with λ the (classical) security parameter. Since com-
√
puting the action of (ì , −p + 1) can be reduced to computing the action of
√
(ì , −p − 1) at virtually no cost using quadratic twisting [9, Lemma 5], for sim-
plicity we will assume that ei ≥ 0 for all i. The basic approach for computing the
√
action of (ì , −p − 1) is through Vélu’s formulae, which require us to generate
an Fp -rational ì -torsion point as an expensive intermediate step.
In CSIDH this problem is (partly) remedied by chaining Qisogenies of distinct
r
degrees, i.e. computing a horizontal isogeny of degree N = i=1 `δi i where δi = 1
if ei > 0 and zero otherwise. Without loss of generality we will assume that all
δi = 1. Instead of generating an ì -torsion point in every step, one first generates
a point Q of order (possibly dividing) N and then pushes Q through the isogeny
Qk
chain. Denote with Qk = ϕk (Q) with ϕk the isogeny of degree Nk = i=1 ì ,
then if Q had order N at the start, Qk will have order Mk = N/Nk . To generate
a point of order `k+1 it therefore suffices to compute [Mk /`k+1 ]Qk , which is
much cheaper than a full scalar multiplication, certainly for larger k. Note that
in practice the original point Q does not necessarily have full order N , so this
procedure might skip a few ì . This method therefore amortizes the cost of one
full scalar multiplication (to generate the initial Q) over the different primes ì ,
and only requires a multiplication by [Mk /`k+1 ] in step k. Table 4 shows that
pushing a point through an isogeny is a rather cheap operation, and the main
costs are still the generation of the initial Q’s and the scalar multiplications by
[Mk /`k+1 ]. Table 4 also shows that when discarding torsion point computations,
computing a radical isogeny of degree ì is slower than a simple application of
Vélu’s formulae.
For the above approach, it is clear that the number of initial Q’s that need to
be generated is (at least) maxi Bi , so it typically does not make sense to sample
the exponent vectors from a very skew box, i.e. to take B1 Br , even though
computing an isogeny of degree `1 is much cheaper than computing an isogeny
of degree `r . However, using radical isogenies it does make sense to really skew
the box since for every prime ì one only needs to generate one Q. Moreover,
√
the radicals N ρ can be computed at the cost of a single Fp -exponentiation in
23
view of Lemma 8, and radical isogenies allow for an easy treatment of the case
ì = 2, as discussed in Section 5.3.
Implementation
To illustrate this approach, we implemented a variant of CSIDH that also uses
radical isogenies to compute the class group action. Our implementation uses
Magma v.2.25-2 [5] and is available at https://github.com/KULeuven-COSIC/
Radical-Isogenies and builds upon the code from [1]. Concretely, for 128 bits
of classical security, consider the field Fp , with p the CSURF-512 prime from [7],
i.e.
p = 23 · 3 · (3 · . . . · 389) − 1 ≈ 2512 .
| {z }
74 consecutive primes,
skip 347 and 359
In the implementation of [1], the authors used Bi = 5 for all i, however using
radical isogenies we propose the skew box
I = [−202; 202] × [−170; 170] × [−95; 95] × [−91; 91] × [−33; 33]×
[−29; 29] × [−6; 6]20 × [−5; 5]14 × [−4; 4]10 × [−3; 3]10 × [−2; 2]8 × [−1; 1]7 .
These vectors represent the action of classes of ideals of the form

√ e
−p − 1 1 √ √ √
2, (3, −p − 1)e2 (5, −p − 1)e3 · · · (389, −p − 1)e75
2
on elements from the set of public keys Sp− = {A ∈ Fp | y 2 = x3 + Ax2 −

x is a supersingular elliptic curve}. The set Sp− is in 1-to-1 correspondence with
Fp -isomorphism classes of supersingular elliptic curves, which allows for a slightly
easier key validation than using Montgomery curves. The set I contains approx-
imately 2256 integer vectors, and just as in [8], we heuristically assume that these
vectors represent the elements in the class group quasi-uniformly.
Again, for simplicity let us assume that ei ≥ 0 for all i. Then the first step
in computing the class group action is finding a 4-torsion point P , such that
if we compute the isogeny ϕ : E → E/h2P i, it holds that ϕ(P ) has halves
defined over Fp . In accordance with Conjecture 2 and the discussion following it,
this implies that the isogeny with kernel hP i will then correspond to the action
√ 2
of (2, ( −p − 1)/2) . In order to iteratively compute this horizontal 4be1 /2c -
isogeny, we first swap to the Tate normal form by translating P to (0, 0). After
iterating the 4-isogeny formula be1 /2c times, we perform a vertical isogeny to a
Montgomery representation of an elliptic curve on the floor. If e1 is odd, we do
a single horizontal 2-isogeny on the Montgomery curve, as explained in [1].
The rest of the computation is done on Montgomery curves on the floor for
two reasons. The first is that arithmetic on Montgomery curves is slightly more
efficient than arithmetic on curves represented by elements of Sp− . The second
reason is that, in order to compute 3-, 5-, 7-, 11- and 13-isogenies, we will need
to swap between elliptic curves in Tate normal form and Montgomery curves.
24
Computing the Montgomery representation of an elliptic curve is essentially
finding a two-torsion point, which in practice means finding a solution to a
cubic equation. If a cubic equation has three solutions, the explicit formulae to
compute any single one of them require going through a quadratic field extension,
even if all solutions are defined over the ground field.2 An elliptic curve on the
floor however, only has one nontrivial two-torsion point. In this case, the cubic
equation has exactly one solution over Fp , and the formula to find it does not
require field extensions.
We then compute a horizontal 3e2 -isogeny as follows. We first sample a 9-
torsion point and swap to the Tate normal form by translating this point to
(0, 0). Next, we calculate a 9be2 /2c−1 -isogeny iteratively. We perform one last
9-isogeny using Vélu’s formulae on the Tate normal form with kernel generator
(0, 0), before swapping back to the Montgomery form of this curve. The reason
for this choice is that one more iteration of the formulae would be more expensive,
since we already know the final 9-torsion point and hence can simply use Vélu’s
formulae. If e2 is odd, we will compute this final 3-isogeny together with the
`-isogenies for ` ≥ 17.
The èi -isogenies for èi = 5e3 , 7e4 , 11e5 , 13e6 are then iteratively computed
in a similar manner. We first compute an `-torsion point on a Montgomery curve
to swap to the Tate normal form. Next, we iterate the formulae for `-isogenies
ei − 1 times, and the final `-isogeny is computed using Vélu’s formulae, at which
point we go back to the Montgomery representation of the curve. The only
noteworthy exception is that if ei = 1, we use the original computation of the
CSIDH class group action. The reason for this is that swapping to a Tate normal
form requires sampling an `-torsion point, which means it is more efficient to
perform this action together with the `-isogenies for ` ≥ 17.
The rest of the `-isogenies for ` ≥ 17 are performed as in [8], where optim-
izations such as those of [1] can be applied. At the end, we perform one final
vertical isogeny to the surface to obtain a public key in Sp− .
We set the bound to swap to the new formulae of [1] at ` > 113, since this is
the threshold where they start outperforming the formulae of [21] in Magma. The
box I from which the exponent vectors are sampled was obtained heuristically
over a large sample and is near optimal. Over a sample size of 100 000 class
group actions each, our variant of CSIDH results in a speed-up of 19% over the
one from [1]. We do note that this comparison is with respect to the CSIDH-512
parameter version, since the Magma code from [1] based on the CSURF-512
parameters did not seem to work. Since the CSIDH-512 parameters do not allow
horizontal 2-isogenies, a small part of our speed-up can be ascribed to the work
of [7].
2
This is known as the casus irreducibilis, proven by Pierre Wantzel in the first half of
the 19th century.
25
7 Conclusion and open problems
Starting from a curve E with an N -torsion point P we have proved the existence
of explicit formulae for the isogenous curve E 0 = E/hP i and the coordinates of a
point P 0 on E 0 of order N , such that the composition of E → E 0 = E/hP i with
E 0 → E 0 /hP 0 i is cyclic of degree N 2 . This property implies that the formulae
can be used repeatedly to compute chains of N -isogenies without generating
N -torsion points in each step of the chain. Furthermore, the formulae, which we
have described explicitly for N ≤ 13, only involve basic arithmetic operations,
except for the extraction of an N th root. We have implemented these formulae
and used them in two main applications: computing a chain consisting solely of
N -isogenies, where we obtained a speed-up ranging from a factor 29 for N = 7
to a factor 5 for N = 13, and an improved implementation of CSIDH which is
19% faster than the state of the art implementation.
Open problems The following problems remain open and are interesting future
work:
– Prove Conjecture 1, stating that our formulae have good reduction wherever
there is no obvious obstruction.
– Devise a more efficient method for explicitly finding the radical isogeny for-
mulae to avoid our current approach of factoring N -division polynomials as
in Section 4, which is a major bottleneck.
– Optimize our formulae, e.g. is it indeed true that the P -distinguished case
yields the most compact expressions? Using the relations αN = ρ(b, c) and
FN (b, c) = 0, using different instances of ρ, or using different parametriza-
tions of X1 (N ) as in Table 2 or [26], can we rewrite our formulae such that
they become more efficient?
– Prove Conjecture 2 on radical isogenies of degree N = 4 between supersin-
gular elliptic curves over Fp with p ≡ 7 mod 8, and generalize it to larger
even values of N .
– Measure the impact of our work on constant-time implementations of CSIDH
and on the quantum circuits discussed in [3].
References
[1] Daniel J Bernstein, Luca De Feo, Antonin Leroux, and Benjamin Smith. Faster
computation of isogenies of large prime degree. In ANTS-XIV, volume 4 of Open
Book Series, pages 39–55. Mathematical Sciences Publishers, 2020.
[2] Daniel J Bernstein and Tanja Lange. Montgomery curves and the Montgomery
ladder. IACR Cryptology ePrint Archive, 2017:293, 2017. https://ia.cr/2017/
293.
[3] Daniel J. Bernstein, Tanja Lange, Chloe Martindale, and Lorenz Panny. Quantum
circuits for the CSIDH: Optimizing quantum evaluation of isogenies. In Eurocrypt
2019 (2), volume 11477 of Lecture Notes in Computer Science, pages 409–441.
Springer, 2019.
26
[4] Ian F. Blake, Gadiel Seroussi, and Nigel P. Smart, editors. Advances in elliptic
curve cryptography, volume 317 of London Mathematical Society Lecture Note
Series. Cambridge University Press, Cambridge, 2005.
[5] Wieb Bosma, John Cannon, and Catherine Playoust. The Magma algebra system.
I. The user language. Journal of Symbolic Computation, 24(3-4):235–265, 1997.
[6] Fouazou Lontouo Perez Broon, Thinh Dang, Emmanuel Fouotsa, and Dustin
Moody. Isogenies on twisted Hessian curves. Journal of Mathematical Cryptology,
15:345–358, 2021.
[7] Wouter Castryck and Thomas Decru. CSIDH on the surface. In PQCrypto 2020,
volume 12100 of Lecture Notes in Computer Science, pages 111–129, 2020.
[8] Wouter Castryck, Tanja Lange, Chloe Martindale, Lorenz Panny, and Joost
Renes. CSIDH: An efficient post-quantum commutative group action. In Asia-
crypt 2018 (3), volume 11274 of Lecture Notes in Computer Science, pages 395–
427. Springer, 2018.
[9] Wouter Castryck, Lorenz Panny, and Frederik Vercauteren. Rational isogenies
from irrational endomorphisms. In EUROCRYPT (2), volume 12106 of Lecture
Notes in Computer Science, pages 523–548. Springer, 2020. https://ia.cr/2019/
1202.
[10] Denis X Charles, Kristin E Lauter, and Eyal Z Goren. Cryptographic hash func-
tions from expander graphs. Journal of Cryptology, 22(1):93–113, 2009.
[11] Jesús-Javier Chi-Domı́nguez and Francisco Rodrı́guez-Henrı́quez. Optimal
strategies for CSIDH. Advances in Mathematics of Communications, 2020.
[12] Keith Conrad. Simple radical extensions. Expository paper. https://kconrad.
math.uconn.edu/blurbs/galoistheory/simpleradical.pdf.
[13] Jean-Marc Couveignes. Hard homogeneous spaces. IACR Cryptology ePrint
Archive, 2006:291, 2006. https://ia.cr/2006/291.
[14] Luca De Feo, Jean Kieffer, and Benjamin Smith. Towards practical key exchange
from ordinary isogeny graphs. In ASIACRYPT (3), volume 11274 of Lecture Notes
in Computer Science, pages 365–394. Springer, 2018. https://ia.cr/2018/485.
[15] Florian Hess. A note on the Tate pairing of curves over finite fields. Archiv der
Mathematik, 82:28–32, 2004.
[16] David Jao and Luca De Feo. Towards quantum-resistant cryptosystems from
supersingular elliptic curve isogenies. In PQCrypto 2011, volume 7071 of Lecture
Notes in Computer Science, pages 19–34, 2011.
[17] Serge Lang. Algebra, volume 211 of Graduate Texts in Mathematics. Springer-
Verlag, New York, third edition, 2002.
[18] Michael Meyer and Steffen Reith. A faster way to the CSIDH. In Indocrypt 2018,
volume 11356 of Lecture Notes in Computer Science, pages 137–152. Springer,
2018.
[19] Tomoki Moriya, Hiroshi Onuki, and Tsuyoshi Takagi. How to construct CSIDH
on Edwards curves. In CT-RSA 2020, volume 12006 of Lecture Notes in Computer
Science, pages 512–537. Springer, 2020.
[20] Kohei Nakagawa, Hiroshi Onuki, Atsushi Takayasu, and Tsuyoshi Takagi. l1 -
norm ball for CSIDH: Optimal strategy for choosing the secret key space. IACR
Cryptology ePrint Archive, 2020:181, 2020. https://ia.cr/2020/181.
[21] Joost Renes. Computing isogenies between Montgomery curves using the action
of (0,0). In PQCrypto 2018, volume 10786 of Lecture Notes in Computer Science,
pages 229–247. Springer, 2018.
[22] Alexander Rostovtsev and Anton Stolbunov. Public-key cryptosystem based on
isogenies. IACR Cryptology ePrint Archive, 2006:145, 2006. https://ia.cr/
2006/145.pdf.
27
[23] Joseph H Silverman. The arithmetic of elliptic curves, volume 106 of Graduate
Texts in Mathematics. Springer, second edition, 2009.
[24] The Stacks project authors. The stacks project. https://stacks.math.
columbia.edu, 2020.
[25] Marco Streng. Generators of the group of modular units for Γ1 (N ) over the
rationals. Cornell University, arXiv:1503.08127v2, 2019. https://arxiv.org/
abs/1503.08127v2.
[26] Andrew Sutherland. Constructing elliptic curves over finite fields with prescribed
torsion. Mathematics of Computation, 81(278):1131–1147, 2012.
[27] Michael A. Tsfasman and Serge G. Vlăduţ. Algebraic-geometric codes, volume 58
of Mathematics and its Applications (Soviet Series). Kluwer Academic Publishers
Group, Dordrecht, 1991. Translated from the Russian by the authors.
[28] Jacques Vélu. Isogénies entre courbes elliptiques. Comptes-Rendus de l’Académie
des Sciences, Série I, 273:238–241, 1971.
[29] William C. Waterhouse. Abelian varieties over finite fields. Annales scientifiques
de l’École Normale Supérieure, 2:521–560, 1969.
28
168 RADICAL ISOGENIES
Chapter 10
Multiradical isogenies and

superspecial (3,3)-hash
functions
The worst thing you can do is to

completely solve a problem.
Daniel Kleitman
Publication data
Wouter Castryck and Thomas Decru (2021). Multiradical isogenies. IACR

Cryptol. ePrint Arch., 1133. (To appear in AMS Contemporary Mathematics)
Own contribution
My main contributions are working out several examples on paper or with help
from Magma (such as the products of elliptic curves, the radical (3, 3)-isogenies
and the radical (5, 5)-isogenies), the implementation of the (3, 3)-hash function,
as well as writing several sections of the paper.
169
Multiradical isogenies
Wouter Castryck and Thomas Decru
Abstract. We argue that for all integers N ≥ 2 and g ≥ 1 there exist

“multiradical” isogeny formulae, that can be iteratively applied to com-
pute (N k , . . . , N k )-isogenies between principally polarized g-dimensional
abelian varieties, for any value of k ≥ 2. The formulae are complete:
each iteration involves the extraction of g(g + 1)/2 different N th roots,
whence the epithet multiradical, and by varying which roots are chosen
one computes all N g(g+1)/2 extensions to an (N k , . . . , N k )-isogeny of the
incoming (N k−1 , . . . , N k−1 )-isogeny. Our group-theoretic argumentation
is heuristic, but it is supported by concrete formulae for several promin-
ent families. As our main application, we illustrate the use of multiradical
isogenies by implementing a hash function from (3, 3)-isogenies between
Jacobians of superspecial genus-2 curves, showing that it outperforms its
(2, 2)-counterpart by an asymptotic factor ≈ 9 in terms of speed.
1 Introduction
In a previous joint work with Vercauteren [10], we introduced the concept of
radical isogenies between elliptic curves, which in low degree allow for a very fast
computation of isogeny chains over finite fields, e.g., of the type used in Charles,
Goren and Lauter’s hash function [12] and in the Couveignes–Rostovtsev–Stolbu-
nov key exchange protocol [14, 42] and its descendant CSIDH [11].
The central observation was that for any integer N ≥ 2 there exist explicit
formulae which, upon input of an elliptic curve E — say given in long Weierstrass
form — over a perfect field K with char K - N and a point P ∈ E of order
N , produce the coordinates of an order-N point P 0 ∈ E 0 = E/hP i such that
the isogeny ϕ0 : E 0 → E 0 /hP 0 i cyclically extends ϕ : E → E/hP i. This, of
course, assumes that we have a defining equation for E 0 at hand, such as the
one provided by Vélu [45]. Moreover, the formulae can be chosen to enjoy the
following properties.
(1) Radicality. The formulae are algebraic expressions in the coefficients of
√
E, the coordinates of P and a radical N r1 , where r1 is itself an algebraic
expression in these coefficients and coordinates.
√
(2) Completeness. By varying the N th root chosen, i.e., by scaling N r1 with
powers of a primitive N th root of unity ζN ∈ K, we obtain generators for all
N subgroups G0 ⊆ E 0 of order N which are such that E 0 → E 0 /G0 cyclically
extends ϕ.
imec-COSIC, Kasteelpark Arenberg 10/2452, 3001 Leuven (Heverlee), Belgium

wouter.castryck@esat.kuleuven.be, thomas.decru@esat.kuleuven.be
(3) Good reduction. The formulae are naturally defined over Z[1/N ], i.e., they
work over any perfect field K with char K - N .
(The last property is in fact conjectural [10, Conj. 1].) Concrete versions of our
radical isogeny formulae for N = 2, . . . , 13 can be found in the GitHub repository
that accompanies [10]. For the sake of illustration, we have included the details
of the case N = 5 in Section 4.
The current paper studies how radical isogenies generalize to principally po-
larized (p.p.) abelian varieties of any given dimension g ≥ 1. That is, we are
looking for formulae which, upon input of a g-dimensional p.p. abelian vari-
ety A over a perfect field K with char K - N and points P1 , . . . , Pg ∈ A that
generate an (N, . . . , N )-subgroup1 G ⊆ A, produce the coordinates of points
P10 , . . . , Pg0 ∈ A0 = A/G generating an (N, . . . , N )-subgroup G0 ⊆ A0 such that
the composition A → A0 = A/G → A0 /G0 is an (N 2 , . . . , N 2 )-isogeny.
When aiming for universally applicable formulae, a major bottleneck is the
lack of an analogue of the long Weierstrass form for p.p. abelian varieties of
dimension g ≥ 2. That is, we do not know of a set of defining equations from
which every g-dimensional p.p. abelian variety A can be obtained by specializing
coefficients. Moreover, in practical applications, we are mostly interested in in-
stances of A that are described in a more implicit form, e.g., as the Jacobian of
some genus-g curve, or as a product of Jacobians of lower-genus curves. Things
are complicated further by the fact that the isogenous p.p. abelian variety A0
may be of a different type, e.g., if A is a Jacobian, then this may not be the case
for A0 .
We therefore focus on smaller families, parametrized by the points s of some
quasi-affine set S. We assume to have algebraic formulae at our disposal which
can be evaluated at the coordinates of any point s ∈ S, each time producing
a g-dimensional p.p. abelian variety As together with points Ps,1 , . . . , Ps,g that
generate an (N, . . . , N )-subgroup Gs ⊆ As . We furthermore assume that the
family comes equipped with Vélu-like formulae providing an explicit description
of the isogenous p.p. abelian variety A0s = As /Gs . Several examples of such
families can be found in Section 4 and Section 5.
Conjecture 1. Under the above assumptions, there always exist accompanying
0 0
formulae which, when evaluated at s, produce points Ps,1 , . . . , Ps,g ∈ A0s gener-
ating a subgroup G0s ⊆ A0s such that the composition As → A0s → A0s /G0s is
an (N 2 , . . . , N 2 )-isogeny. Moreover, these formulae can be chosen to enjoy the
following properties:
(1) Multiradicality. They are algebraic expressions in the coordinates of s and
√ √
radicals N r1 , . . . , N rg(g+1)/2 , where in turn the radicands ri are algebraic
expressions in the coordinates of s.
(2) Completeness. By varying the N th roots chosen, i.e., by scaling them with
powers of ζN ∈ K, we obtain generating sets for all N g(g+1)/2 subgroups
G0s ⊆ A0s such that As → A0s = As /Gs → A0s /G0s is an (N 2 , . . . , N 2 )-isogeny.
1
See Section 2.2 for a definition.
2
(3) Good reduction. If the family S is defined over Z[1/M ] for some multiple
M of N , then so are our formulae, i.e., they work over any perfect field K
with char K - M .
Formulae of the above kind will be called multiradical isogeny formulae. We refer
to Section 3 for a more extensive discussion of Conjecture 1, where we will provide
a group-theoretic heuristic argument in favor of the existence of multiradical
isogeny formulae. However, we stress that each of the above subclaims remains
conjectural. We will also discuss an addendum to Conjecture 1, namely that one
can always take the radicands r1 , . . . , rg(g+1)/2 to be representants of the Tate
pairings tN (Ps,i , Ps,j ), 1 ≤ i ≤ j ≤ g, in the sense of Frey and Rück [24], as soon
as these are well-defined.
Further support comes from concrete examples of multiradical isogeny for-
mulae, which are discussed in Section 4 and Section 5. For arbitrary N and
in arbitrary dimension g, we discuss fully split (N, . . . , N )-isogenies from g-fold
products of elliptic curves. Other examples focus on Jacobians of genus-2 curves,
where we discuss non-split (2, 2)-isogenies (also known as Richelot isogenies) and
non-split (3, 3)-isogenies as described by Bruin, Flynn and Testa [5]. We also
study the multiradical nature of certain (5, 5)-isogenies that were described by
Flynn [21].
Remark 1. Our eventual goal is the computation of (N k , . . . , N k )-isogenies, for
arbitrary k ≥ 2, achieved by an iterated application of our formulae. However,
it is possible, and unavoidable in general, that the isogenous p.p. abelian variety
A0s marked with Ps,1 0 0
, . . . , Ps,g does not belong to our family. For instance, if S
parametrizes Jacobians of genus-2 curves, we may run into a product of elliptic
curves. In such cases, one needs to resort to different sets of multiradical isogeny
formulae in order to cover the entire isogeny chain.
We illustrate the use of multiradical isogenies in Section 6, by constructing a
Charles–Goren–Lauter style hash function from (3, 3)-isogenies between super-
special p.p. abelian surfaces over a large quadratic finite field Fp2 , similar to the
(2, 2)-construction from our joint work with Smith [9]. In short, each message
determines a walk in the isogeny graph (which is of size about p3 /2880), and the
hash of the message is the end point of that walk. One should make sure that
every two consecutive isogenies compose to a (9, 9)-isogeny, to avoid the trivial
collisions described in [22, §2.3]. This is automatically taken care of when using
multiradical isogeny formulae.
In the Richelot hash function from [9], a (2, 2)-isogeny costs about 3 square
root computations, with very little overhead, and can be used to process 3 bits
of the message. In our case, the cost of a (3, 3)-isogeny is dominated by the ex-
traction of 3 cube roots, and now it can be used to process 3 trits (i.e., base-3
digits) of the message. Moreover, if p 6≡ ±1 mod 9 then p2 6≡ 1 mod 9 and com-
puting cube roots in Fp2 is faster than computing square roots (see Section 6.4).
Altogether, this leads to an expected speed-up by a factor 9, roughly. However, a
noticeable difference with [9] is that chaining multiradical (3, 3)-isogenies comes
with some non-negligible overhead; our current implementation even involves
3
three small Gröbner basis computations. Despite this overhead, the (3, 3)-hash
function outperforms the Richelot hash function as soon as the field character-
istic p is of cryptographic size (i.e., 86 bits or more). The asymptotic speed-up
factor ≈ 9 becomes visible when p is about 21024 .
Two conventions. For any integer N ≥ 2 we denote the ring (or the addit-
ive group) of integers modulo N by ZN ; we thereby follow computer science
customs.2 Also, throughout this paper, we always identify a variety over a per-
fect field K with its set of K-points equipped with the natural Gal(K/K)-action.
Acknowledgments. This work was supported by the Research Council KU

Leuven grant C14/18/067, by CyberSecurity Research Flanders with reference
VR20192203, and by the Research Foundation Flanders (FWO) through the
WOG Coding Theory and Cryptography. We thank Marc Houben, Frederik Ver-
cauteren and the anonymous referees for several helpful remarks.
2 Background
We discuss some of the material needed for what follows, but we stress that this
is not a complete overview. Our main goal is to fix notation and highlight some
statements that may be known to specialists but that we did not manage to
pinpoint in the existing literature, such as Lemma 2, Example 3 and Lemma 4.
For general background on abelian varieties and isogenies we refer to [34, 35].
2.1 Generalized symplectic bases
We consider abelian varieties A of dimension g ≥ 1 over a perfect field K with

algebraic closure K, and we always assume that A comes equipped with a prin-
cipal polarization. Important examples of g-dimensional principally polarized
(p.p.) abelian varieties are Jacobians of smooth projective curves C/K of genus
g. Every p.p. abelian variety of dimension ≤ 3 is K-isomorphic to a product of
Jacobians.
For each integer N ≥ 2 with char K - N , the N -torsion subgroup A[N ] can
be shown to be free of rank 2g over ZN . The principal polarization induces a
perfect bilinear and antisymmetric pairing
∗
eN : A[N ] × A[N ] → µN ⊆ K ,
known as the Weil pairing. After fixing a primitive N th root of unity ζN ∈ µN ,

the Weil pairing turns into a symplectic form:
h·, ·iN : A[N ] × A[N ] → ZN : (P, Q) 7→ logζN eN (P, Q).

2
Most pure mathematicians prefer the notation Z/N Z, especially when N is a prime
number p (or a power thereof) in order to avoid confusion with p-adic rings. Our
paper is free of p-adic numbers, so such confusion should not be possible.
4
Thus A[N ] admits a symplectic basis, i.e., a ZN -basis P1 , . . . , Pg , Q1 , . . . , Qg
satisfying hPi , Pj iN = hQi , Qj iN = 0 and hPi , Qj iN = δij for all i, j ∈ {1, . . . , g}.
This allows us to view A[N ] as Z2g N equipped with the standard symplectic pairing

0 Ig
h·, ·i : Z2g 2g T
N × ZN : (v, w) 7→ v Ωw, Ω= .
−Ig 0
Changing between symplectic bases is done using matrices from the symplectic
group Sp2g (ZN ) = { M ∈ GL2g (ZN ) | M T ΩM = Ω }.
Note that the notion of a symplectic basis of A[N ] depends on the choice of
ζN . If a basis is symplectic with respect to some choice of ζN , then we call it
a generalized symplectic basis. The matrices of base change between generalized
symplectic bases are now taken from the larger group
GSp2g (ZN ) = { M ∈ GL2g (ZN ) | M T ΩM = d(M )Ω for a d(M ) ∈ Z∗N }, (1)
which is known as the generalized symplectic group (its elements are often re-
ferred to as symplectic similitudes). An N -level structure on A is an isomorphism
α : A[N ] → Z2gN such that
α−1 (1, 0, . . . , 0), α−1 (0, 1, . . . , 0), . . . , α−1 (0, 0, . . . , 1)

is a generalized symplectic basis of A[N ].
2.2 Good chains of (N, . . . , N )-isogenies

A subgroup G ⊆ A[N ] is called isotropic if hP, QiN = 0 for all P, Q ∈ G.
Note that this notion does not depend on the choice of ζN . It is called maximal
isotropic if moreover there is no supergroup G0 ) G that is isotropic. This
property ensures that the isogenous abelian variety A0 = A/G comes naturally
equipped with a principal polarization. The subgroup is said to be an
(N, . . . , N )-subgroup
| {z }
g times
if it is a (necessarily maximal) isotropic free ZN -submodule of rank g, i.e., an

isotropic subgroup isomorphic to ZgN . In that case, we say that the quotient
isogeny ϕ : A → A0 is an (N, . . . , N )-isogeny.
Given an (N, . . . , N )-isogeny ϕ : A → A0 , we say that an (N, . . . , N )-isogeny
ϕ0 : A0 → A00 is a good extension of ϕ if the composition
ϕ ϕ0
A → A0 → A00
is an (N 2 , . . . , N 2 )-isogeny. According to the lemma below, of which special cases
can be found in [22, §2.2], there are N g(g+1)/2 subgroups of A0 [N ] that give
rise to good extensions. The group ϕ(A[N ]) is an (N, . . . , N )-subgroup which is
the kernel of the dual isogeny ϕ̂ : A0 → A. All other (N, . . . , N )-subgroups of
A0 [N ] are said to give rise to bad extensions. These are precisely the (N, . . . , N )-
subgroups that differ from ϕ(A[N ]) but that intersect it non-trivially.
5
Lemma 2. Consider Z2g N together with the standard symplectic pairing h·, ·i. Its
number of (N, . . . , N )-subgroups is given by
Y Yg
1
N g(g+1)/2 1+ i .
i=1
`
primes
`|N
Given an (N, . . . , N )-subgroup G ⊆ Z2g N , the number of (N, . . . , N )-subgroups

that intersect it trivially equals N g(g+1)/2 .
Proof. For the second count, consider generators P1 , . . . , Pg of the given sub-
group G and extend to a symplectic basis P1 , . . . , Pg , Q1 , . . . , Qg . The free rank-g
submodules that intersect G trivially each admit a unique basis of the form
P10 = Q1 + a11 P1 + . . . + a1g Pg ,

... (2)
Pg0 = Qg + ag1 P1 + . . . + agg Pg ,
for certain aij ∈ ZN and, conversely, every such basis generates a rank-g submod-
ule intersecting G trivially. One checks that the maximal isotropy assumption
∀i, j : hPi0 , Pj0 i = 0 translates into g2 linear conditions on the aij ’s. These con-
ditions can be used to express the aij ’s with i > j in terms of the other aij ’s.
Thus we are left with g 2 − g2 = g(g + 1)/2 degrees of freedom, as wanted.
As for the first count, we start with the case where N = ` is a prime num-
ber. The symplectic group Sp2g (F` ) acts transitively on the set of (`, . . . , `)-
subgroups, and our goal is to compute the size of the unique orbit. This can be
done via the orbit-stabilizer theorem, which indeed yields
g
Y g
Y
1
(ì + 1) = `g(g+1)/2 1+
i=1 i=1
ì
as detailed in [27, §1]. Next, to settle the case N = `n for n > 1, it suffices to
see that the reduction-mod-` map3
{ (`n , . . . , `n )-subgroups of Z2g 2g

`n } → { (`, . . . , `)-subgroups of F` }
is `(n−1)g(g+1)/2 -to-1. This works as before: consider generators Q1 , . . . , Qg of an

(`n , . . . , `n )-subgroup G, and extend to a symplectic basis Q1 , . . . , Qg , P1 , . . . , Pg .
The (`n , . . . , `n )-subgroups having the same reduction as G admit a unique basis
of the form (2), where each aij is now an element of `Z`n . Again, the maximal
isotropy condition translates into expressions for the aij ’s with i > j in terms of
the other aij ’s, leaving us with `(n−1)g(g+1)/2 subgroups, as wanted. The count
for arbitrary N then follows from the Chinese remainder theorem. t
u
3
Recall from the introduction that Z`n just abbreviates Z/`n Z, the integers modulo
`n , rather than some extension of the ring of `-adic integers.
6
2.3 The Tate pairing on (products of ) Jacobians
We discuss the Tate pairing on Jacobians, in the sense of Frey and Rück [24, 28],
and its natural extension to products of Jacobians. Let C/K be a curve of genus
g ≥ 1 and let N ≥ 2 be such that char K - N . The Tate pairing is a map
tN : Pic0K (C)[N ] × Pic0K (C)/N Pic0K (C) → K ∗ /(K ∗ )N ,
where Pic0K (C) denotes the group of K-rational degree-zero divisors on C modulo
divisors of functions in K(C)∗ , and is defined as follows. Let D1 ∈ Pic0K (C)[N ]
be represented by a divisor D1 and let D2 ∈ Pic0K (C)/N Pic0K (C) be repres-
ented by a divisor D2 with support disjoint from that of D1 . Take a function
fN,D1 ∈ K(C)∗ whose divisor is N D1 . We then let
tN (D1 , D2 ) := fN,D1 (D2 ) mod (K ∗ )N .
It can be shown that this is a well-defined bilinear pairing. In many cases of

interest, the natural inclusion
Pic0K (C) ,→ JC (K)
into the Jacobian JC of C is surjective, i.e., it is a group isomorphism, and we

obtain a pairing
JC (K)[N ] × JC (K)/N JC (K) → K ∗ /(K ∗ )N
that we keep denoting by tN . Known sufficient conditions for surjectivity are

that K has a trivial Brauer group (e.g., this is true if K is finite) [34, Rmk. 1.6],
that C(K) 6= ∅ [25, Thm. 3], or that g = 2 [13, Lem. 3.1 and Lem. 3.2].
In this paper we are mainly interested in the case where K is a certain
function field over Q, which has a non-trivial Brauer group. To avoid resulting
pathologies, we only apply the Tate pairing in cases where C(K) 6= ∅ or where
g = 2. We also consider the Tate pairing
tN : A(K)[N ] × A(K)/N A(K) → K ∗ /(K ∗ )N
on abelian varieties A/K that arise as products of Jacobians of such curves: this
is simply obtained by taking the product of the Tate pairings of the respective
components.
Example 3. For use in Section 4.2, let us consider a genus-2 curve
C : y 2 = G1 (x)G2 (x)G3 (x)
over a perfect field K of odd characteristic, where the Gi ’s are quadratic poly-
nomials over K whose product is square-free. Each Gi defines an element Di ∈
Pic0K (C), namely the class of
Di = (αi1 , 0) + (αi2 , 0) − ∞1 − ∞2 ,
7
with αi1 , αi2 ∈ K the two roots of Gi and with ∞1 , ∞2 ∈ C(K) the two points at
infinity. An analysis of L(∞1 +∞2 ) shows that Di is non-principal, so from 2Di =
div(Gi ) we conclude that the Di ’s have order 2. Let us compute t2 (D1 , D2 ).
Replace D1 by the equivalent divisor
D10 = (α11 , 0) + (α12 , 0) − ∞1 − ∞2 − div(x − c)
for some arbitrary c ∈ K that is not a root of G2 . Then we can take f2,D10 =
G1 /(x − c)2 so that
G1 (α21 )G1 (α22 )

t2 (D1 , D2 ) ≡ f2,D10 (D2 ) ≡ ≡ resx (G1 , G2 )
(α21 − c)2 (α22 − c)2 lc(G1 )2
modulo (K ∗ )2 . Here lc(G1 ) denotes the leading coefficient of G1 . By symmetry, it

then follows that t2 (Di , Dj ) ≡ resx (Gi , Gj ) for all pairs of distinct i, j ∈ {1, 2, 3}.
If K is a finite field Fq containing a primitive N th root of unity, i.e., N | q−1,

then the Tate pairing can be shown to be perfect. We remark that there are ways
of extending Frey and Rück’s definition of the Tate pairing to arbitrary abelian
varieties over Fq , where it remains perfect [6].
2.4 Multiradical field extensions

We say that a field extension K ⊆ L is multiradical if there exist an integer
N ≥ 1 and elements α1 , . . . , αr ∈ L such that L = K(α1 , . . . , αr ) and αiN ∈ K ∗
for all i. In this section, we discuss a sufficient Galois-theoretic condition for an
extension to be multiradical. While we suspect that this is a well-known fact,
we did not manage to find an exact reference, even for the case r = 1.
Recall that a group G is the (inner) semi-direct product G1 o G2 of a normal
subgroup G1 and a subgroup G2 if the following three equivalent conditions hold:
– G = G1 G2 and G1 ∩ G2 = {eG },
– every g ∈ G can be written as g = g1 g2 for unique g1 ∈ G1 and g2 ∈ G2 ,
– every g ∈ G can be written as g = g2 g1 for unique g1 ∈ G1 and g2 ∈ G2 .
The group structure of G is determined by that of G1 and G2 and by how G2
acts on G1 through conjugation.
The prototypical example of a multiradical extension is where K = Q and
√ √
L = Q( N p1 , . . . , N pr ) for distinct primes pi , which is a number field of degree
r
N [1]. The Galois closure of L over K is L(ζN ), with ζN ∈ L a primitive N th
root of unity. Define
G1 = { σ1i1 ◦ · · · ◦ σrir | 0 ≤ ij < N for all j } ∼

= ZrN ,
√ √ `
where σj : pj 7→ ζN N pj for j = 1, . . . , r. Letting G2 = { τ` : ζN 7→ ζN
N |0 ≤
` < N, gcd(`, N ) = 1 } ∼
= Z∗N , one then verifies that
Gal(L(ζN )/K) = G1 o G2 ,
8
where the action is given by τ` ◦σ1i1 ◦· · ·◦σrir ◦τ`−1 = σ1i1 ` ◦· · ·◦σrir ` . Of course, this
example generalizes to (the Galois closures of) arbitrary multiradical extensions,
as long as char K - N and [L : K] = N r .
Lemma 4 gives a converse statement:
Lemma 4. Let N, r be positive integers and consider a degree-N r extension

K ⊆ L of fields whose characteristic does not divide N . Let ζN ∈ L be a primitive
N th root of unity and assume that L(ζN ) is Galois over K with Galois group
Gal(L(ζN )/K) = Gal(L(ζN )/K(ζN )) o Gal(L(ζN )/L),
where the first factor is isomorphic to ZrN , say generated by σ1 , . . . , σr , and where
the semi-direct product is according to the rule
τ` ◦ σ1i1 ◦ · · · ◦ σrir ◦ τ`−1 = σ1i1 ` ◦ · · · ◦ σrir ` (3)

`
for all i1 , . . . , ir ∈ {0, . . . , N − 1} and all τ` : ζN 7→ ∈ Gal(L(ζN )/L). Then
ζN
there exist α1 , . . . , αr ∈ L such that L = K(α1 , . . . , αr ) and α1N , . . . , αrN ∈ K ∗ .
Proof. First assume that r = 1 and write σ instead of σ1 . The restricted maps
σ i |L : L → L(ζN ) are pairwise distinct. Indeed, if i, i0 ∈ {0, 1, . . . , N − 1} are
0
such that σ i |L = σ i |L , then
0
σ i−i ∈ Gal(L(ζN )/K(ζN )) ∩ Gal(L(ζN )/L) = {id},
which can only be true if i = i0 . From [41, Lem. 0CKL] it follows that these
restricted maps are linearly independent over L(ζN ). In particular there exists
some β ∈ L such that
N
X −1
i i
α := ζN σ (β)
i=0
is non-zero. From
X X X
i`
τ` (α) = ζN (τ` ◦ σ i )(β) = i`
ζN (σ i` ◦ τ` )(β) = i` i`
ζN σ (β) = α
i i i
it follows that α ∈ L. Now observe that α was constructed in such a way that
−i
σ i (α) = ζN α for i = 0, 1, . . . , N − 1, which has two crucial consequences. On
the one hand, it implies that Gal(L(ζN )/L) is the exact group of automorphisms
fixing K(α), or in other words L = K(α). On the other hand, it implies that
σ(αN ) = σ(α)N = (ζN α)N = αN , so that αN is fixed by the entire Galois group,
i.e., αN ∈ K as wanted.
The general case reduces to the case r = 1, as follows. Each element of our
Galois group Gal(L(ζN )/K) can be written as
σ1i1 ◦ · · · ◦ σrir ◦ τ`
for unique 0 ≤ ij , ` < N with gcd(`, N ) = 1. For each j = 1, . . . , r, let Gj , resp.

Hj , be the subgroup obtained by imposing ij = 0, resp. the normal subgroup
9
obtained by imposing ij = 0 and ` = 1. Defining Lj = L(ζN )Gj , it is easy to
check that L(ζN )Hj = Lj (ζN ) and that the chain of inclusions K ⊆ Lj ⊆ Lj (ζN )
satisfies the hypotheses of the lemma for r = 1. From the first part of our proof,
we conclude that there exists an αj ∈ Lj such that Lj = K(αj ) and αjN ∈ K ∗ .
But from ∩j Gj = Gal(L(ζ)/L) one sees that L is the compositum of the Lj ’s,
from which the lemma follows. t
u
Note that if r = 1 and L contains ζN then Lemma 4 specializes to a standard

statement from Kummer theory; observe that the factor Gal(L(ζN )/L) is trivial
in this case. In fact, our proof is a tweak of that of [41, Lem. 09DX]. In the
current paper, we are mostly interested in the other end of the spectrum, where
hζN i ∩ L is as small as possible, i.e., contained in {±1}.
2.5 Charles–Goren–Lauter style hash functions
In [12], Charles, Goren and Lauter introduced a hash function based on isogenies
between supersingular elliptic curves. This construction was generalized to work
for Richelot isogenies between superspecial p.p. abelian surfaces in [9], by fixing
an earlier proposal due to Takashima [44], shown to admit trivial collisions by
Flynn and Ti [22]. We give a rough outline of the general construction.
Fix distinct primes p and `, a dimension g, and let Gp,`,g be the directed
multigraph with vertex set V and edge set E, which are constructed as follows.
V consists of all superspecial p.p. abelian varieties over Fp of dimension g up
to isomorphism, which can always be defined over Fp2 [2, Thm. 2.13A]. The
edges emanating from a vertex v ∈ V are the (`, . . . , `)-isogenies with domain
v, one for each (`, . . . , `)-subgroup of v. One can prove that the graph Gp,`,g
is connected [31, Thm. 43], and in the case of supersingular elliptic curves, the
graph is a Ramanujan graph [12]. Unfortunately, this is no longer the case for
dimension g > 1 [31, §10.1], but those graphs seem to exhibit strong expansion
properties nonetheless; see [20] for anQempiric analysis of the case ` = g = 2.
g
From Lemma 2 we see that Gp,`,g is a i=1 (ì + 1)-regular multigraph. One can
try and turn this graph into an undirected graph by considering dual isogenies,
but due to p.p. abelian varieties possibly having non-trivial automorphisms, the
multiplicities of the edges and their duals may not coincide. For a more in-depth
discussion regarding this phenomenon, we refer to [9, §4].
To build a hash function from this graph, we must first fix a superspecial
p.p. abelian variety and will begin a walk in the graph starting from this ver-
tex. From this initial vertex, we label all outgoing edges in some way (e.g., in
lexicographical order with respect to a fixed choice of representation of Fp2 ).
Qg
Out of these i=1 (ì + 1) edges, we only consider the first κ = `g(g+1)/2 and
we walk along the edge that corresponds to the least significant digit of m when
expressed in base κ.4 We have now arrived at a new p.p. abelian variety and
want to avoid any possible backtracking while walking in the graph, so for our
4
There is no real reason why one cannot consider all edges in this first step. Restricting
to only κ choices however streamlines the algorithm.
10
next edge, we should not consider all possible outgoing edges. For elliptic curves,
it suffices to discard the edges corresponding to the dual isogenies [12], but for
g > 1 we must discard all options that have a kernel which intersects the kernel
of the dual isogeny non-trivially [9]. In general, again in view of Lemma 2, this
leaves us with κ possible edges to consider, which correspond to good extensions
of the isogeny corresponding to the first edge we chose. Once again, we label the
κ outgoing edges in some deterministic way and will walk along the one that
corresponds to the second least significant digit of m in base κ. We continue this
until all the digits of the message have been processed. The output of the hash
function is then an invariant of the final p.p. abelian variety we encounter. In
the case of elliptic curves, one can choose the j-invariant for example.
3 On the existence of multiradical isogeny formulae

In this section we give a group-theoretic argument in favor of the existence of
multiradical isogeny formulae. The argument is motivated by Lemma 4.
3.1 A multiradical modular cover

For perfect field K, an integer n ≥ 2 and a subgroup H ⊆ GSp2g (Zn ), we
consider the moduli problem of parametrizing pairs (A, α) up to H-equivalence,
where A is a g-dimensional p.p. abelian variety over K and α is an n-level
structure on it. Two pairs (A1 , α1 ) and (A2 , α2 ) are called H-equivalent if there
exists an isomorphism ϕ : A1 → A2 and an element h ∈ H such that α1 =
h ◦ α2 ◦ ϕ. We write [(A, α)]H for the H-equivalence class of (A, α), and denote
the moduli set of such H-equivalence classes by Ag (H). Two extremal cases are
Ag (GSp2g (Zn )), which just parametrizes g-dimensional p.p. abelian varieties up
to isomorphism, and Ag ({id}), which parametrizes g-dimensional p.p. abelian
varieties A equipped with a generalized symplectic basis of A[n]. Note that if H 0
is a subgroup of H, then we have a natural map Ag (H 0 ) → Ag (H) : [(A, α)]H 0 7→
[(A, α)]H .
We can construct a moduli set of g-dimensional p.p. abelian varieties A to-
gether with marked generators P1 , . . . , Pg of an (N, . . . , N )-subgroup by choosing
n = N and letting H be

Ig B
HN = B ∈ Symg (ZN ), d ∈ Z∗N ⊆ GSp2g (ZN ),
0 dIg
where Symg (ZN ) denotes the set of symmetric g × g matrices with entries in
ZN . Another (overcomplicated) way of arriving at a set with the same moduli
interpretation is by instead letting n = N 2 and considering the group

Γ1,N = M ∈ GSp2g (ZN 2 ) M mod N ∈ HN .
This creates room for defining the subgroup

0

Γ1,N = M ∈ Γ1,N ⊆ GSp2g (ZN 2 ) lower-left g × g block of M is zero ,
11
whose associated moduli set parametrizes p.p. abelian varieties together with
marked generators Q1 , . . . , Qg of an (N 2 , . . . , N 2 )-subgroup, considered modulo
the following equivalence relation: two such sets of marked generators Q1 , . . . , Qg
and R1 , . . . , Rg are identified if and only if Ri − Qi ∈ hN Q1 , . . . , N Qg i for
i = 1, . . . , g. Note that the points Pi := N Qi do not depend on the chosen
representants Qi , and neither do the cosets Pi0 of Qi modulo hP1 , . . . , Pg i.
0
Said differently, the set Ag (Γ1,N ) parametrizes g-dimensional p.p. abelian
varieties A together with marked generators P1 , . . . , Pg of some (N, . . . , N )-
subgroup G ⊆ A, as well as with marked generators P10 , . . . , Pg0 of an (N, . . . , N )-
subgroup G0 ⊆ A/G which are such that the chain of quotient maps
ϕ ϕ0
A → A0 = A/G → A0 /G0
is good, i.e., ϕ0 ◦ ϕ is an (N 2 , . . . , N 2 )-isogeny. The natural map Ag (Γ1,N 0

)→
Ag (Γ1,N ) just “forgets” about the points Pi0 . Thus, the central question of our
paper — given P1 , . . . , Pg , how to find P10 , . . . , Pg0 — is closely related to under-
standing the fibers of this map.
Remark 5. In the above moduli interpretation, the marked generators Pi0 have
the additional property that
ϕ̂(Pi0 ) = Pi for all i = 1, . . . , g, (4)
where ϕ̂ : A0 → A is the dual of ϕ. This feature was not explicitly asked for in
the introduction. However, every subgroup G0 ⊆ A0 for which A0 → A0 /G0 is a
good extension of ϕ admits a unique ZN -basis satisfying (4); we call this basis
distinguished. It suffices to concentrate on such bases. Indeed, once we have found
formulae for these distinguished generators, formulae for other sets of generators
can be found by performing a base change, using arithmetic on A0 ,5 and this
should not affect features like multiradicality, completeness and good reduction.
Moreover, it seems reasonable to expect that the formulae for the distinguished
generators will stand out in terms of simplicity (although we did not investigate
this in detail).
0
The multiradical nature of the fibers of Ag (Γ1,N ) → Ag (Γ1,N ) is hinted at by
the following lemma, which invokes the notation d(M ) from (1), in combination
with Lemma 4. Recall that the normal core CoreG (H) of a subgroup H in a
group G is the largest subgroup of H that is normal in G. For use below we
remark that, under the Galois correspondence, this notion corresponds to the
Galois closure of a separable field extension.
In order to state the lemma, we fix any bijection
k : {1, . . . , g(g + 1)/2} → { (k1 , k2 ) | 1 ≤ k1 ≤ k2 ≤ g }

5
For example, if N is odd, then the formulae for 2P10 , . . . , 2Pg0 are obtained from those
for P10 , . . . , Pg0 by feeding the latter to a formula for doubling on A0 .
12
and for all j = 1, . . . , g(g + 1)/2 and 0 ≤ ` < N , gcd(N, `) = 1 we define the
elements
Ig 0 I 0
σj = , τ` = g
N Sk(j) Ig 0 Ìg
of Γ1,N , where S(k1 ,k2 ) denotes the symmetric g×g matrix having a 1 at positions
(k1 , k2 ) and (k2 , k1 ) and 0’s elsewhere.
0
Lemma 6. The group Γ1,N has index N g(g+1)/2 in Γ1,N . Its normal core can
be computed as
0 0
CoreΓ1,N (Γ1,N ) = { M ∈ Γ1,N | d(M ) ≡ 1 mod N }
0 0
which has index ϕ(N ) in Γ1,N . Every element of Γ1,N / Core(Γ1,N ) admits a
unique representant of the form
i
σ1i1 · · · σg(g+1)/2
g(g+1)/2
· τ` (5)
with 0 ≤ ij < N for all j = 1, . . . , g(g + 1)/2, and 0 ≤ ` < N , gcd(N, `) = 1.

0
More precisely Γ1,N / CoreΓ1,N (Γ1,N ) can be written as
i
{ σjj | 1 ≤ j ≤ g(g + 1)/2, 0 ≤ ij < N } o { τ` | 0 ≤ ` < N, gcd(N, `) = 1 }
∼ g(g+1)/2
= ZN o Z∗N ,
where the semi-direct product is taken according to the rule (3).
Proof. It is not hard to check that all matrices M ∈ Γ1,N have symmetric lower-
left g × g blocks, i.e., these blocks belong to N Symg (ZN 2 ). A count shows that
the resulting map
Γ1,N → N Symg (ZN 2 )
is uniform (i.e., every element in the codomain has the same number of preim-
0
ages), implying that [Γ1,N : Γ1,N ] = N g(g+1)/2 . As for the normal core, con-
0
jugating Γ1,N with suitable matrices (e.g., one can use the matrices σj ) reveals
that
0 0
CoreΓ1,N (Γ1,N ) ⊆ { M ∈ Γ1,N | d(M ) ≡ 1 mod N }
and since the right-hand side is a normal subgroup of Γ1,N , equality must hold.
Finally, we have
0 0
[Γ1,N : CoreΓ1,N (Γ1,N )] = ϕ(N )
0
because d defines a morphism Γ1,N → Z∗N which is surjective, as can be seen by
evaluating it at the τ` ’s.
0
Now assume that some element of Γ1,N / CoreΓ1,N (Γ1,N ) admits two distinct
decompositions
i i0 i0
σ1i1 · · · σg(g+1)/2
g(g+1)/2 g(g+1)/2
· τ` = σ11 · · · σg(g+1)/2 · τ`0 .
13
Applying d shows that ` ≡ `0 mod N , hence we can assume ` = `0 = 1. We then
find
i −i0 ig(g+1)/2 −i0 I 0
σ11 1 · · · σg(g+1)/2 g(g+1)/2 = Pg(g+1)/2 g . (6)
N j=1 (ij − i0j )Sk(j) Ig
0
But this is contained in Γ1,N only if ij ≡ i0j mod N for all j. In particular, the
expansion (5) is unique. Elements of the form (4) are a full set of representants
0
of Γ1,N / CoreΓ1,N (Γ1,N ) because there are ϕ(N )N g(g+1)/2 such expansions.
The statement about the semi-direct product is easy to check using (6). t u
We now give more details on how Lemma 6 supports the existence of mul-
tiradical isogeny formulae, although we stress that the discussion below is partly
heuristic. A major ingredient is that the sets Ag (H) are representable by al-
gebraic varieties over Q.6 Indeed, results by Artin and Faltings–Chai show that
the corresponding moduli spaces exist as schemes over Z[1/N ], see [19, §I.4];
it then follows from Geometric Invariant Theory that these spaces are quasi-
projective [36, Thm. 7.9]. Consequently, the chain
0
Ag ({id}) → Ag (Γ1,N ) → Ag (Γ1,N ) → Ag (GSp2g (ZN 2 ))
corresponds to an inclusion of function fields

0
Q(Ag (GSp2g (ZN 2 )) ⊆ Q(Ag (Γ1,N )) ⊆ Q(Ag (Γ1,N )) ⊆ Q(Ag ({id}))
where the outer extension is Galois, with Galois group GSp2g (ZN 2 ), and where
Q(Ag (Γ1,N )), resp. Q(Ag (Γ1,N
0 0
)), are the subfields fixed by Γ1,N , resp. Γ1,N . This
extrapolates upon well-known statements from the elliptic curve case, which can
be found in [15, 37, 39], for instance. The middle inclusion has Galois closure
0
Q(Ag ({id}))CoreΓ1,N (Γ1,N )
which, in the same vein, is obtained from Q(Ag (Γ1,N

0
)) by adding a primitive N th
0
root of unity ζN . The Galois group of this Galois closure is Γ1,N / CoreΓ1,N (Γ1,N ),
so by Lemma 4 and Lemma 6 we have
0 √ √
Q(Ag (Γ1,N )) = Q(Ag (Γ1,N ))( N ρ1 , . . . , N ρg(g+1)/2 )
for certain functions ρ1 , . . . , ρg(g+1)/2 on Ag (Γ1,N ).

The line of thought behind multiradical isogenies is then that the coordinates
of our distinguished generators P10 , . . . , Pg0 can essentially be viewed as functions
0 √
on Ag (Γ1,N ), therefore they should be expressible in terms of the radicals N ρi .
Since we work over Q, these expressions make sense over any perfect field K, as
long as char K does not divide any denominators; in fact, the idea/hope behind
our good reduction assumption (3) is that all of this can be set up over Z[1/N ]
rather than Q.
6
These varieties may be geometrically reducible; more precisely, for H ⊆ GSp2g (Zn )
we have that Ag (H) decomposes into [Z∗n : d(H)] irreducible components over Q(ζn ).
14
3.2 Conjectured existence of multiradical isogeny formulae
As we have discussed in the introduction, it only makes sense to talk about
multiradical isogeny formulae at the level of concrete families that come equipped
with formulae of Vélu, Richelot, . . . type for the codomain p.p. abelian varieties.
Let us therefore repeat, in more detail, our main surmise from Conjecture 1.
For integers r, g ≥ 1, N ≥ 2, we consider a smooth family of g-dimensional p.p.
abelian varieties As equipped with marked points Ps,1 , . . . , Ps,g that generate an
(N, . . . , N )-subgroup Gs ⊆ As , where the parameter s = (s1 , . . . , sr ) ranges over
some quasi-affine subset S ⊆ Ar . We assume that we have algebraic formulae
at our disposal, explicitly describing A0s = As /Gs in terms of the si . Then we
believe that there always exist accompanying multiradical formulae, producing
0 0
a set of generators Ps,1 , . . . , Ps,g of an (N, . . . , N )-subgroup G0s ⊆ A0s which is
such that the extension
ϕ ϕ0
As −→ A0s = As /Gs −→ A0s /G0s
is good. Moreover, we believe that the formulae can be chosen such that they
are complete, and such that they work over any perfect field over which the
parametrization by S makes sense.
The radicands ri appearing in these formulae should be related to the func-
tions ρi from the previous section, as follows. As before, assume we are working
over Q. By the universal property of moduli spaces, we have a natural morphism
σ : S → Ag (Γ1,N ), sending s to the isomorphism class of (As , Ps,1 , . . . , Ps,g ). This
allows us to pull back the functions ρi ∈ Q(Ag (Γ1,N )) to Q(S); here we assume
that the image of S is not included in the polar locus of ρi . These pull-backs
should be our ri ’s. Explicitly,
r1 := ρ1 ◦ σ, ... , rg(g+1)/2 := ρg(g+1)/2 ◦ σ,
which can indeed be viewed as algebraic expressions in the coordinates si .

We point out that, for the sake of flexibility, we do not require the map
S → Ag (Γ1,N ) to be injective, i.e., up to isomorphism, different s may result
in the same p.p. abelian variety and the same generators of an (N, . . . , N )-
subgroup. Our examples in Section 4 include several families featuring such a
redundance.
Remark 7. Our formulae should make sense at every point of S, therefore the
functions r1 , . . . , rg(g+1)/2 should be free of poles. In view of the completeness,
they should also be free of zeroes.
Remark 8. For small families, the extension

√ p
Q(S) ⊆ Q(S)( N r1 , . . . , N rg(g+1)/2 )
may not be of degree N g(g+1)/2 . Indeed, when pulled back along σ, several of the
radicands ρi may become interrelated. In such cases it is tempting to compress
the formulae into versions that use fewer radicals, but then the completeness
15
property gets lost. For instance, in the example in Section 4.3 below, as many
as g(g − 1)/2 radicands collapse to√the constant 1; nevertheless one should allow
the corresponding occurrences of N 1 to range independently over the set of N th
roots of unity if one wants to find all N g(g+1)/2 good extensions.
If our family of p.p. abelian varieties As consists of (products of) Jacobians of

curves Cs which, when viewed as a single curve over Q(S), is either of genus 2 or
admits a rational point, then Conjecture 1 comes with the following addendum:
(4) Tate pairings as suitable radicands. The radicands r1 , . . . , rg(g+1)/2 can

be taken to be representants of the Tate pairings
tN (Ps,i , Ps,j ) ∈ Q(S)∗ /(Q(S)∗ )N
where i ≤ j range over {1, . . . , g}.
This is motivated, again, by our examples below, and by the following observa-
tion. For each 1 ≤ i ≤ j ≤ g, choose a representant ri,j of tN (Ps,i , Ps,j ). Let
Q(S)(G0s ) denote the field obtained from Q(S) by adjoining the coordinates of
0 0 0
Ps,1 , . . . , Ps,g . As discussed in Remark 5, we can assume that ϕ̂(Ps,i ) = Ps,i for
all i. This implies that
0 0 0 0
ri,j = tN (ϕ̂(Ps,i ), ϕ̂(Ps,j )) = tN (Ps,i , Ps,j )N
when viewed as elements of Q(S)(G0s )∗ /(Q(S)(G0s )∗ )N ; the second equality fol-

lows from the compatibility property of the Tate pairing, see [30, Lem. 5]. Thus
√
Q(S)(G0s ) contains Q(S)( N ri,j | 1 ≤ i ≤ j ≤ g ).
We did not manage to prove that these two fields are in fact equal, which
would lend further support for our addendum.7 While for g = 1 equality can
be established using non-degeneracy of the Tate pairing over finite fields con-
taining a primitive N th root of unity [10, §3], for g > 1 non-degeneracy or even
perfectness does not seem strong enough to mimic that argument.
4 Examples
In this section, we show how multiradical isogeny formulae manifest themselves

for two well-known families: Richelot isogenies, and fully split isogenies from
products of elliptic curves. We also show that multiradical isogeny formulae
apply to a certain (5, 5)-isogeny that was described by Flynn [21]. Our main ex-
ample, namely non-split (3, 3)-isogenies from Jacobians of genus-2 curves, will be
discussed in Section 5. We begin by recalling an elliptic curve example from [10].
7
Note however that the addendum is an even stronger statement, e.g., in view of
Remark 8.
16
4.1 Elliptic curves
Consider the family of elliptic curves E with a marked point P ∈ E of order N .
For N ≥ 4 this family is conveniently parametrized by the Tate normal form:8
E : y 2 + (1 − c)xy − by = x3 − bx2 , P = (0, 0).
Concretely, we let S ⊆ A be the subset of pairs b, c for which E is non-singular

2
and P has exact order N ; we refer to [43] for how to obtain a concrete equation
for S, which is a model of the modular curve Y1 (N ) and which is naturally
defined over Z[1/N ]. The existence of radical and complete isogeny formulae
was discussed in [10], where it was argued that one can take r1 = fN,P (−P ),
with fN,P the function on E with divisor N (P ) − N (∞), normalized such that
its expansion at ∞ with respect to the uniformizer x/y has leading coefficient 1.
As mentioned there, r1 is a representant of tN (P, −P ) = tN (P, P )−1 , so in order
to enforce property (4), one should instead work with r−11 . This does not cause
any issues because r1 has no zeroes or poles on S; see also Remark 7.
For the sake of example, let us revisit the√case N = 5, where we have r1 = b
and S = { (b, c) ∈ A2 | b = c, b 6= 0, (11 ± 5 5)/2 }. Vélu’s formulae yield the
following defining equation for E 0 = E/hP i:
y 2 + (1 − b)xy − by = x3 − bx2 − 5b(b2 + 2b − 1)x − b(b4 + 10b3 − 5b2 + 15b − 1).
From [10, §4] we see that the point

√ 4 √ 3 √ 2 √
P 0 = (5 5 r1 + (b − 3) 5 r1 + (b + 2) 5 r1 + (2b − 1) 5 r1 − 2b,
√ 4 √ 3 √ 2 √
5 5 r1 + (b − 3) 5 r1 + (b2 − 10b + 1) 5 r1 + (13b − b2 ) 5 r1 − b2 − 11b) (7)
0
on E is of the requested kind, i.e., it is the distinguished generator of a subgroup
G0 ⊆ E[5] such that the composed isogeny E → E 0 → E 0 /G0 is cyclic of degree
√
25. Varying the choice of 5 r1 produces the five subgroups for which this is
true. The formula (7) satisfies the good reduction property and allows for a very
fast computation of chains of 5-isogenies over finite fields; e.g., over Fp with
p 6≡ 1 mod 5 we obtain a speed-up by roughly a factor 40 over more traditional
methods [10, Tbl. 4]. We recall that, for general N , the good reduction property
is conjectural [10, Conj. 1].
4.2 Richelot isogenies

A convenient reference for Richelot isogenies is [40, Ch. 8]. We consider genus-2
curves C equipped with two generators of a (2, 2)-subgroup of JC . Such marked
curves can be parametrized by S = A9 \∆, by letting s = (sij )1≤i,j≤3 correspond
to the Jacobian of
C : y 2 = G1 (x)G2 (x)G3 (x), Gi (x) = si1 x2 + si2 x + si3

8
See [10, §4] for a discussion of the cases N = 2, 3.
17
equipped with the divisor classes D1 , D2 from Example 3. Here ∆ is cut out by
the discriminant of G1 (x)G2 (x)G3 (x). The parametrization works over Z[1/2].
We claim that we can take r1 = resx (G2 , G3 ), r2 = resx (G1 , G3 ) and r3 =
resx (G1 , G2 ). By Example 3 we know that
t2 (D1 , D1 ) ≡ r2 r3
t2 (D1 , D2 ) ≡ r3
t2 (D2 , D2 ) ≡ r1 r2
modulo squares, so the validity of property (4) is not affected by our choice of
√ √ √
radicands. Indeed, formulae in terms of r1 , r2 , r3 can easily be rewritten
√ √ √
into formulae in terms of r2 r3 , r3 , r1 r2 , and vice versa.
To proceed, we slightly shrink S by removing the zero locus of the determin-
ant δ = |si,j |1≤i,j≤3 . This guarantees that the p.p. abelian surface JC /hD1 , D2 i is
again a Jacobian. More precisely, Richelot’s formulae show that it is isomorphic
to JC 0 with
C 0 : δy 2 = H1 (x) · H2 (x) · H3 (x),
where H1 := G02 G3 − G2 G03 , H2 := G03 G1 − G3 G01 and H3 := G01 G2 − G1 G02 .
The reader can verify that disc(Hi ) = 4ri , so the two zeroes of Hi are algebraic
√
expressions in ri and in the sij ’s, and they are obtained from one another
by choosing the other square root of ri ; denote these two zeroes by α±i . Then
according to [9, Prop. 2] the classes of
D10 = (α1 , 0) + (α2 , 0) − ∞1 − ∞2 , D20 = (α−1 , 0) + (α3 , 0) − ∞1 − ∞2
generate a (2, 2)-subgroup of JC 0 that defines a (4, 4)-extension of the incoming

isogeny JC → JC 0 . Still according to [9, Prop. 2], the sign flips ±i produce the
eight subgroups for which this is true. Thus we have found formulae that are
multiradical and complete, and they clearly work in any characteristic different
from 2.
Remark 9. One could also try and study the complementary case, namely the
restriction S0 of S to the zero locus of δ. In this case JC /hD1 , D2 i geomet-
rically splits as a product of two elliptic curves. Concrete equations for these
elliptic curves can be found in [40, p. 119]. The reader can check that they are
defined over the field obtained by adding a square root of discz (discx (G2 + zG3 ))
which, interestingly, turns out to be 16r1 . However, for a genuine verification
of Conjecture 1, one would need a model of JC /hD1 , D2 i over Q(S0 ) rather
√
than Q(S0 )( r1 ). This model concerns the Weil restriction to Q(S0 ) of an el-
√
liptic curve defined over Q(S0 )( r1 ), which is not easy to describe explicitly; see
also [4].
4.3 Fully split (N, . . . , N )-isogenies from products of elliptic curves

In this example we consider g-fold products E1 × · · · × Eg of elliptic curves,
marked with generators D1 , . . . , Dg of an (N, . . . , N )-subgroup that are of the
18
following kind: each Di is a g-tuple with ∞Ej at entry j, except when j = i
where we then have a point Pi ∈ Ei of order N . Assuming N ≥ 4, such marked
products are naturally parametrized by S g ⊆ A2g , with S the modular curve
Y1 (N ) from Section 4.1. Note that the corresponding (N, . . . , N )-isogenies split
completely, i.e., they are of the form
Φ : E1 × . . . × Eg → E10 × . . . × Eg0 ,
decomposing as the product of cyclic N -isogenies φi : Ei → Ei0 with kernel hPi i.

We assume that the elliptic curves Ei0 are given by Vélu’s formulae.
For each i = 1, . . . , g, we let ri be the representant of the Tate self-pairing
tN (Pi , Pi ) whose inverse was described in Example 4.1. We then choose the
following representants of the Tate pairings tN (Di , Dj ), 1 ≤ i ≤ j ≤ g: we pick
1 as soon as i < j, and we pick ri if i = j.
We are interested in identifying all (N, . . . , N )-subgroups of (E10 ×· · ·×Eg0 )[N ]
that have trivial intersection with the kernel of the dual of Φ. Indeed, these are
precisely the subgroups that can occur as ker Ψ for a good extension Ψ of Φ. To
get a handle on the kernel of Φ̂, which is just the product of the φ̂i ’s, we rely on
Lemma 10 below. When applied √ over Q(S), it implies that √ for each i = 1, . . . , g
we can find a formula Pi0 ( N 1 ) which, when reading √
N
1 as ζN , produces a
generator Pi0 of ker φ̂i and which, when reading N 1 as ζN k
, produces the point
kPi0 for 0 ≤ k ≤ N − 1. Then ker Φ̂ can be written as hC10 , . . . , Cg0 i, where each
Ci0 is a g-tuple with ∞Ej0 at each entry, except at j = i where we have Pi0 .
Lemma 10. Let E be an elliptic curve over a perfect field K with char K - N
and let P ∈ E(K) be a point of order N . Let φ : E → E 0 = E/hP i be the
corresponding quotient isogeny, where E 0 is given by Vélu’s formulae. Let P 0 be
a generator of the dual isogeny. Then there exist polynomials F, G, H ∈ K[z]
such that
k
[F (ζN k
) : G(ζN k
) : H(ζN )] = kP 0
for all 0 ≤ k ≤ N − 1.
Proof. The Weil pairing gives a group isomorphism between ker φ̂ and µN that
is compatible with the action of Gal(K/K). In particular P 0 has coordinates in
K(ζN ). Define F (z) to be the classical Lagrange polynomial that interpolates
the x-coordinates of kP 0 for 0 ≤ k ≤ N − 1. More precisely,
N
X −1 Y m
z − ζN
F (z) = x(kP 0 )`k (z), with `k (z) = k − ζm
.
k=0
ζ
0≤m≤N −1 N N
m6=k
Then it suffices to show that for any σ ∈ Gal(K(ζN )/K) it holds that F (z) =
F σ (z). Note that σ : ζN 7→ ζN
a
for some a coprime to N . One verifies that
Y am
z − ζN Y m
z − ζN
`σk (z) = ak − ζ am
= ak − ζ m
= àk (z).
ζ
0≤m≤N −1 N N ζ
0≤m≤N −1 N N
m6=k m6=ak
19
Furthermore, we can assume that the x-coordinates of the points of ker φ̂ within
the same Galois orbit were chosen compatibly, i.e. σ(x(kP 0 )) = x(σ(kP 0 )) for
all σ ∈ Gal(K(ζN )/K) and for all 0 ≤ k ≤ N − 1. Then because of the afore-
mentioned isomorphism we must have σ(x(kP 0 )) = x(akP 0 ), such that indeed
F (z) = F σ (z) as wanted. An analogous argument applies to the polynomials G
and H. t
u
√
0 N
We also know that, for each i = 1, . . . , g, there exists a formula Qi ( ri )
producing a point Q0i that extends Pi0 to a basis of Ei0 [N ]. Furthermore, we know
√ k
that by scaling N ri with ζN for 0 ≤ k ≤ N − 1, we cycle through all elements
Q0i + kPi0 .
We are ready to give multiradical and complete formulae that produce g-
tuples D10 , . . . , Dg0 ∈ E10 × · · · × Eg0 generating the kernel of a good extension Ψ
of Φ. Fix √ √ √
D10 = (Q01 ( N r1 ), P20 ( 1 ), . . . , Pg0 ( 1 )),
N N
which has g degrees of freedom. Next, choose

√ √ √
D20 = (∞E10 , Q02 ( N r2 ), P30 ( 1 ), . . . , Pg0 ( 1 )),
N N
where we fixed the first coordinate at ∞E10 in order to avoid repetitions in the
subgroups generated by D10 and D20 . This results in g − 1 degrees of freedom.
Continuing this inductively, we end up with
√
Dg0 = (∞E10 , . . . , ∞Eg−1
0 , Q0g ( N rg ))
Pg
with only 1 degree of freedom left. In total, we have j=1 j = g(g + 1)/2 degrees
of freedom as wanted, and running through all √ possible interpretations of the
radicals (including the g(g − 1)/2 occurrences of N 1 ) provides the kernels of all
possible good extensions.
4.4 Flynn’s family of (5, 5)-isogenies from genus-2 curve Jacobians

Consider the family of genus-2 curves with given (5, 5)-subgroup from [21], in-
volving a single parameter r. In this section, we illustrate that multiradical
isogeny formulae apply to this family. We do not aim at a full analysis including
completeness, etc; in fact, for simplicity we will restrict to the curve at r = 1.
We remark that the absolute Igusa invariants of Flynn’s family are in fact para-
meterless, so up to isomorphism this is the only curve in the family.
In order for the generators of the (5, 5)-subgroup to be rational (and not just
the subgroup), we will √ fix the base field as Q(ζ5 ), where ζ5 is a fifth root of
unity.9 Writing γ1 = 5 = 2ζ53 + 2ζ52 + 1 ∈ Q(ζ5 ), we have
C : y 2 = x5 + 25x4 − 200x3 + 560x2 − 640x + 256,

T1 = (4, 16γ1 ) − ∞, T2 = (0, 16) − ∞,
9
√
Remark that the quadratic extension Q( 5) would suffice, but adding ζ5 makes for
easier notation up ahead.
20
p 2ζ 3 −6ζ 2 −4ζ −2
where T1 , T2 ∈ JC [5]. Writing γ2 = 2(1/γ1 − 1) = 5 55 5 ∈ Q(ζ5 ),
the genus-2 curve associated with the isogenous abelian surface obtained by
quotienting out hT1 , T2 i can be written as
e : y 2 = x5 − 125x4 + 5000x3 − 175000x2 + 1250000x − 81250000,

C
Te1 = (10γ1 , 10000γ2 ) − ∞, Te2 = (−10γ1 , 5000γ2 (γ1 + 1)) − ∞,
where hTe1 , Te2 i is the kernel of the dual isogeny (in particular, Te1 , Te2 ∈ JCe [5]). In
order to extend hTe1 , Te2 i to a basis for the 5-torsion of the Jacobian of C, e with
conjectured property (4) in mind we compute the following Tate pairings:
t5 (T1 , T1 ) ≡ γ1 , t5 (T1 , T2 ) ≡ (γ1 − 1)/2, t5 (T2 , T2 ) ≡ 1.
Defining r1 = γ1 and r2 = (γ1 − 1)/2, Conjecture 1 predicts that we can expect

√ √
to find the 5-torsion of JCe in Q(ζ5 , 5 r1 , 5 r2 ). In order to compute this 5-torsion,
we use techniques from [26] that build upon the work of [8].
Concretely, a typical 5-torsion point is expected to be represented by a divisor
D = P1 +P2 −2∞ = (x1 , y1 )+(x2 , y2 )−2∞, for two affine points (x1 , y1 ), (x2 , y2 )
on C̃. We read the condition 5D ≡ 0 as 5(P1 −∞) ≡ −5(P2 −∞). In [8], recursive
formulae are derived to express 5((x1 , y1 )−∞) in function of x1 , y1 and the coeffi-
cients of our genus-2 curve C̃. The same can be done for −5((x2 , y2 )−∞) and the
aforementioned equality results in a system of equations that can be solved by a
Gröbner basis computation. Note that for D to be rational over a certain field,
x1 , y1 , x2 , y2 need not necessarilybe defined over that same field. In Mumford
coordinates, we can write D = x2 − (x1 + x2 )x + x1 x2 , y1 + (y2 − y1 ) xx−x 1
2 −x1
and it suffices for the coefficients of these polynomials to be defined over the
field. In practice, it is most convenient to simply add an extra variable and
corresponding equation to the Gröbner basis computation from before, such as
X − (x1 + x2 ), and then compute the minimal polynomial of X (i.e., put it last
in a lexicographic monomial ordering for the Gröbner basis computation). The
roots of this polynomial will then correspond to all possible x1 + x2 such that
the class of D is 5-torsion.
There are 54 − 1 = 624 nontrivial elements in JCe [5], but since D and −D
correspond to the same x1 + x2 , we expect the minimal polynomial of X to be
of degree 312 generically. In this specific case though, we have multiple 5-torsion
divisors of the form (x1 , y1 ) − ∞ rather than (x1 , y1 ) + (x2 , y2 ) − 2∞ (e.g., this
is the case for Te1 and Te2 ). The techniques of [26] do not capture such points.
Nonetheless, all other 5-torsion divisors can be found this way and the minimal
polynomial of X turns out to be of degree 305. Factoring this polynomial over
√ √
Q(ζ5 , 5 r1 , 5 r2 )[X] we see that it splits completely as expected, thereby lending
support to Conjecture 1.
21
A similar computation can be done for the other coefficients of the Mumford
coordinates, which allows us to define

α24 − (ζ5 + 1)2 α23 − (ζ54 + 1)α22 + (ζ53 − 2ζ5 − 2)α2
Te3 = x2 + 100 3 2
+ 1 x+
γ1 ζ5 (ζ5 + 1)

10α24 − 2(ζ5 − 1)2 α23 − 2(7ζ53 + 11ζ52 + 7ζ5 )α22 + 10(ζ53 − 2ζ5 − 2)α2
500 3 2
+1 ,
γ1 ζ5 (ζ5 + 1)

100 (7ζ52 − ζ5 + 7)α24 − (2ζ53 + 5ζ52 + 2ζ5 )α23 + (7ζ53 + 5ζ5 + 5)α22 −

(6ζ53 + 7ζ52 + 7ζ5 + 6)α2 − 7 x + 5000 − (3ζ52 + 3ζ5 + 3)α24 −
!

(2ζ53 − ζ52 + 2ζ5 )α23 + (ζ53 − ζ5 − 1)α22 + (6ζ53 + 3ζ52 + 3ζ5 + 6)α2 − 5 ,
√
where α2 = 5 r2 . One can easily verify that Te3 ∈ JCe [5] \ hTe1 , Te2 i. The expression
for a fourth element Te4 that completes a basis for Jac(C)[5]e is too voluminous
to reproduce here, but can be found online in our repository at https://gith
ub.com/KULeuven-COSIC/Multiradical-Isogenies. From this basis, the 125
maximal isotropic (5, 5)-subgroups that determine a kernel which intersects the
kernel of the dual isogeny trivially can easily be computed.
5 Multiradical (3, 3)-isogenies
5.1 The parametrization by Bruin, Flynn and Testa
Over any perfect field K with char K - 6, we consider A3 with coordinates r, s, t,

and we let S ⊆ A3 be the joint complement of the zero loci of10
δ1 = t,
δ2 = s,
δ3 = st + 1,
δ4 = r3 − 3rt + t2 + t,
δ5 = r3 s − 3rst + st2 + st + t,
δ6 = r3 s2 − 3rs2 t − 3rs + s2 t2 + s2 t + 2st + s + 1,
δ7 = r3 s2 t + r3 s − 3rs2 t2 − 3rst + s2 t3 + s2 t2 + 2st2 + t,
∆ = r6 s2 − 6r4 s2 t − 3r4 s + 2r3 s2 t2 + 2r3 s2 t + 3r3 st + r3 s + r3
+ 9r2 s2 t2 + 6r2 st − 6rs2 t3 − 6rs2 t2 − 9rst2 − 3rst − 3rt + s2 t4
+ 2s2 t3 + s2 t2 + 2st3 + 3st2 + t2 + t
10
Note that [5] define δ1 = s and δ2 = t, so some care is needed when comparing our
formulae with the ones from this reference.
22
and also of r − 1, r2 − t and rs − st − 1 (we don’t give a name to these last three
polynomials since their role is less essential, see Remark 12 below). Following
Bruin, Flynn and Testa [5], to r, s, t we then attach the genus-2 curve Crst : y 2 =
Frst (x), where
Frst (x) = G1 (x)2 + λ1 H1 (x)3 = G2 (x)2 + λ2 H2 (x)3
and
H1 (x) = x2 + rx + t,
λ1 = 4s,
G1 (x) = (s − st − 1)x3 + 3s(r − t)x2 + 3sr(r − t)x − st2 + sr3 + t,
H2 (x) = x2 + x + r,
λ2 = 4st,
G2 (x) = (s − st + 1)x3 + 3s(r − t)x2 + 3sr(r − t)x − st2 + sr3 − t.
One can calculate that disc(Frst ) = −212 36 δ13 δ23 δ3 δ43 δ5 δ63 δ73 6= 0, so Crst is a
genus-2 curve. We write Jrst for the Jacobian of Crst .
Proposition 11. For i = 1, 2, write Ti ∈ Jrst (K) for the divisor class of
(Hi , Gi ) := (αi1 , Gi (αi1 )) + (αi2 , Gi (αi2 )) − ∞1 − ∞2 ,
where αi1 , αi2 ∈ K denote the zeroes of Hi (x). Then hT1 , T2 i is a maximal
isotropic subgroup of Jrst , and the quotient Jrst /hT1 , T2 i is isomorphic over K
(−3)
to the Jacobian Jr0 s0 t0 of the genus-2 curve
(−3)
Cr0 s0 t0 : −3y 2 = Fr0 s0 t0 (x)
where (r0 , s0 , t0 ) = ψ0 (r, s, t) :=

−s(r − 1)(r2 − t)(δ5 − r) (rs − st − 1)3 δ42 s2 (r − 1)3 (r2 − t)3
2
, 3
, 3 2 .
(rs − st − 1) δ4 st(r − 1) ∆ (rs − st − 1) δ4
Writing Fr0 ,s0 ,t0 (x) = G01 (x)2 + λ01 H10 (x)3 = G02 (x)2 + λ02 H20 (x)3 as above, the
kernel of the dual isogeny is generated by the corresponding points Ti0 , by which
we mean the divisor classes of
√ √ √
0
(Hi0 , G0i / −3) = (αi1 , G0i (αi1
0 0
)/ −3) + (αi2 , G0i (αi2
0
)/ −3) − ∞1 − ∞2 ,
0 0
with αi1 , αi2 ∈ K the zeroes of Hi0 (x), for i = 1, 2.
Proof. This follows from [5, Thm. 6 & Lem. 10]. t
u
We call (Hi , Gi ) the Mumford coordinates of Ti , because of the clear analogy with
the Mumford coordinates in the case of hyperelliptic curves with an imaginary
Weierstrass model, i.e., with a unique place at infinity.11
11
For an even better analogy, one should reduce the degree of the second component
by writing (Hi , Gi mod Hi ).
23
All sufficiently general triples (C, T1 , T2 ) with C a genus-2 curve and T1 , T2
generating a (3, 3)-subgroup of JC are reached by the above parametrization.
One exception is where the effective parts of (the natural representants of) the
divisor classes corresponding to the generators T1 , T2 have non-disjoint supports.
This is how one should understand the role of r − 1, r2 − t, rs − st − 1: if any one
of these expressions is zero, then one can still consider Crst , T1 , T2 as above,12
but the formulae of [5] will produce generators of the kernel of the dual isogeny
that have non-disjoint supports.
Remark 12. While for certain curves the parametrization misses certain pairs
T1 , T2 generating a (3, 3)-subgroup, every (3, 3)-subgroup is reached. Indeed, by
[5, Lem. 3] in combination with the paragraph preceding [5, Thm. 6], at least
one choice of basis with generators from {T1 , T2 , T1 + T2 , T1 − T2 } will be in
sufficiently general form.
The role of ∆ is more fundamental: it should not vanish because otherwise

Jrst /hT1 , T2 i is K-isomorphic to a product of elliptic curves.
We discuss the multiradical isogeny formulae corresponding to the family S
in Section 5.2. First, as an intermezzo, let us elaborate and discuss how to handle
the case ∆ = 0, as well as how to walk away from products of elliptic curves.
None of the material below is new, however, to the best of our knowledge, there
is no article containing all these formulae, so we felt it was worth gathering them.
From Jacobians to products If ∆ = 0, then any algebraic software package

can easily verify that the polynomial Frst (x) factors in two cubic polynomials
over the ring Q(r, s, t, ζ3 )[x]/(∆), where ζ3 is a primitive cubic root of unity.
This factorization induces an isogeny to a product of elliptic curves, and we
refer to [33] for the general construction for (`, `)-split Jacobians. In the specific
case of a (3,3)-split Jacobian, we mention the complete characterization by [3,
Prop. A.2].
Proposition 13. Let C be a genus-2 curve over a perfect field K with char K -
6, and J the Jacobian of C. If J is (3, 3)-isogenous to a product of elliptic curves
E1 × E2 , then there exist elements a, b, c, d, t ∈ K with
12ac + 16bd = 1, ∆1 = a3 + b2 6= 0, ∆2 = c3 + d2 6= 0, t 6= 0,
such that C is isomorphic to Cabcdt : ty 2 = f (x) and Ei is isomorphic to Ei,abcdt :

ty 2 = fi (x) for i ∈ {1, 2}, with
f (x) = (x3 + 3ax + 2b)(2dx3 + 3cx2 + 1),

f1 (x) = x3 + 12(2a2 d − bc)x2 + 12(16ad2 + 3c2 )∆1 x + 512∆21 d3 ,
f2 (x) = x3 + 12(2bc2 − ad)x2 + 12(16b2 c + 3a2 )∆2 x + 512∆22 b3 .
12
As long as no δi vanishes.
24
The corresponding morphisms ϕi : Cabcdt → Ei,abcdt are given by

−2dx + c 16dx3 − 12cx2 − 1
ϕ1 (x, y) 7→ 12∆1 3 , y∆1 3 ,
x + 3ax + 2b (x + 3ax + 2b)2
2 3

x (ax − 2b) x + 12ax − 16b
ϕ2 (x, y) 7→ 12∆2 3 2
, y∆2 3 2 2
.
2dx + 3cx + 1 (2dx + 3cx + 1)
As mentioned, the Jacobian of a genus-2 curve is generically not (3, 3)-split. If

it is, however, the curves E1,abcdt and E2,abcdt will typically be unique up to
isomorphism, i.e., the Jacobian should not be expected to split in more than
one way. Up to isomorphism, there are only two genus-2 curves which are (3, 3)-
isogenous to distinct products of elliptic curves [38].
Ideally, we would like more uniform formulae to identify the curves Crst and
Cabcdt with one another in the case ∆ equals zero. Unfortunately, these formulae
would be extremely lengthy and finding an isomorphism from one to the other
in practice can be done relatively easily by a Gröbner basis computation since
isomorphisms between genus-2 curves are well-understood.
Isogenies from products Let E1 × E2 be a product of elliptic curves, both

defined over a perfect field K with char K - 6, and T1 , T2 ∈ (E1 × E2 )(K)[3]
such that hT1 , T2 i is maximal isotropic with respect to the 3-Weil pairing. Then
(E1 × E2 )/hT1 , T2 i is again a product of elliptic curves in two scenarios. The first
scenario is the most common one, where T1 , T2 correspond to 3-torsion points on
the separate elliptic curves E1 , E2 . The codomain of the isogeny can be computed
using Vélu’s formulae.
Proposition 14. Consider elliptic curves E1 , E2 over a perfect field K with

char K - 6, with non-trivial T1 ∈ E1 [3], T2 ∈ E2 [3]. Then Ei can be written as
Ei : y 2 +ai xy +bi y = x3 for i ∈ {1, 2}, where the Ti have been translated to (0, 0)
on the respective curves. Write G = h(T1 , ∞E2 ), (∞E1 , T2 )i. Then the codomain
of the isogeny with kernel G is again a product of elliptic curves E10 × E20 , where
for i ∈ {1, 2} we can write
Ei0 : y 2 + ai xy + bi y = x3 − 5ai bi x − a3i bi − 7b2i .
The second situation where the codomain of a (3, 3)-isogeny with domain E1 ×E2
is again a product of elliptic curves, is the relatively rare occurrence when there
exists a 2-isogeny θ : E1 → E2 . In this case, the isogeny is the endomorphism
φ : E1 × E2 → E1 × E2
(P, Q) 7→ (P + θ̂(Q), −Q + θ(P )),
with kernel the graph of the 2-isogeny θ|E1 [3] , see for example [23, §1].
In all other scenarios, (E1 × E2 )/hT1 , T2 i is the Jacobian of a genus-2 curve,
where the kernel is the graph of an anti-isometry with respect to the 3-Weil
pairing (see for example [16, Prop. 5.6] or [32, Thm. 3]). By this we mean that
25
there exists an isomorphism ψ : E1 [3] → E2 [3] such that e3 (ψ(P ), ψ(Q)) =
e3 (P, Q)−1 for all P, Q ∈ E1 [3]. The formulae in this case are simply the dual
isogenies of the split Jacobians in Proposition 13.
Of the 40 (3, 3)-isogenies with domain E1 × E2 , generically there are 16 with
codomain a product of elliptic curves, and 24 with codomain the Jacobian of
a genus-2 curve. The only exception to this is by means of an aforementioned
2-isogeny θ : E1 → E2 .
5.2 Multiradical formulae

We are interested in finding good extensions of our (3, 3)-isogeny
(−3)
Jrst −→ Jr0 s0 t0 = Jrst /hT1 , T2 i. (8)
In view of the conjectured property (4), let us compute the relevant Tate pair-
ings. The reader might want to compare the following lemma with the Weil
pairing computation from [5, Lem. 4].
Lemma 15. Let
C : y 2 = G21 + λ1 H13 = G22 + λ2 H23
be a genus-2 curve over K with G1 , G2 , H1 , H2 ∈ K[x] and H1 , H2 quadratic,
and consider the corresponding points T1 = (H1 , G1 ), T2 = (H2 , G2 ) ∈ JC [3].
Then t3 (T1 , T2 ) ≡ resx (G1 − G2 , H2 )/λ1 .
Proof. Write α11 , α12 , resp., α21 , α22 , for the roots of H1 (x), resp., H2 (x). It is
easy to check that G1 (x) − y has divisor 3(H1 , G1 ); however, in order to move
away from infinity, as we did in Example 3, we instead work with (G1 (x)−y)/(x−
c)3 for some c ∈ K that is different from α21 , α22 . Evaluating this function in
(H2 , G2 ) yields
(G1 (α21 ) − G2 (α21 )(G1 (α22 ) − G2 (α22 ))
t3 (T1 , T2 ) ≡ − ≡ resx (G1 − G2 , H2 )/λ1
(α21 − c)3 (α22 − c)3 λ1 lc(H1 )3
modulo (K ∗ )3 . t
u
Applying this to our instances of T1 , T2 , one checks that resx (G1 −G2 , H2 )/λ1
equals δ4 /δ2 . As for the other pairings: Bruin, Flynn and Testa have also provided
an explicit Mumford representation (H3 , G3 ) for T3 := T1 + T2 , see [5, Thm. 6],
and the analogous computations yield t3 (T1 , T3 ) ≡ δ72 and t3 (T3 , T2 ) ≡ δ1 δ62 .
From these outcomes it follows that
t3 (T1 , T1 ) ≡ δ2 δ42 δ72 , t3 (T1 , T2 ) ≡ δ22 δ4 , t3 (T2 , T2 ) ≡ δ1 δ2 δ42 δ62 .
We will instead work with the radicands
r1 = δ7 ≡ t3 (T1 , T1 )t3 (T1 , T2 ),

r2 = δ2 δ42 ≡ t3 (T1 , T2 )−1 ,
r3 = δ1 δ62 ≡ t3 (T1 , T2 ) · t3 (T2 , T2 ),
26
which does not affect the validity of property (4). Indeed, formulae in terms
√ √ √ √
of
p
3
r1 , 3 r2 , p
3
r3 can easily
p be rewritten into p formulae in terms of 3 r1 r2 =
3
√
t3 (T1 , T1 ), 3 1/r2 = 3 t3 (T1 , T2 ), 3 r2 r3 = 3 t3 (T2 , T2 ), and vice versa.
The good extensions of (8) are characterized by the fact that their kernel
intersects the kernel hT10 , T20 i of the dual isogeny trivially. In order to find such
kernels, we are first and foremost interested in extending T10 , T20 to a basis of the
3-torsion. To this end, we try to find all b1 , . . . , b7 such that
Fr0 s0 t0 (x) = (b4 x3 + b3 x2 + b2 x + b1 )2 + b7 (x2 + b5 x + b6 )3 . (9)
Indeed, every such tuple produces a divisor D with Mumford coordinates

√
(x2 + b5 x + b6 , (b4 x3 + b3 x2 + b2 x + b1 )/ −3)
√ (−3)
satisfying 3D = (b4 x3 +b3 x2 +b2 x+b1 − −3y), hence D ∈ Jr0 s0 t0 [3]. Conversely,
every 3-torsion point arises in this way, see for example [7, §3.1]. Over an algeb-
raic closure of the base field, 80 nontrivial 3-torsion elements exist and hence 80
tuples (b1 , . . . , b7 ) satisfy the above equation. We remark that for every solution
(b1 , b2 , b3 , b4 , b5 , b6 , b7 ) corresponding to a divisor D, there exists another solu-
tion (−b1 , −b2 , −b3 , −b4 , b5 , b6 , b7 ) corresponding to the opposite divisor, whose
class is −D.
The parametrization from Section 5.1 already gives rise to eight solution
tuples (b1 , . . . , b7 ) corresponding to the elements in {iT10 +jT20 : 0 ≤ i, j ≤ 2}\{0}.
To find the rest of the tuples, one can write out the equation of Fr0 s0 t0 (x) as well
as the right-hand side of (9), and equate coefficients of the degree-six polynomials
found. One can then compute a reduced Gröbner basis of these seven expressions
with respect to the lexicographic monomial order.13
Assuming we put b4 last in the monomial ordering, the last polynomial of the
Gröbner basis will be a degree-80 polynomial in just b4 , whose roots correspond
to possible solutions for b4 in (9). Up to some constant factor, this minimal
polynomial of b4 is of the form
4
Y 4
Y
M (b4 ) = (b24 − βi2 ) fk (b4 ),
i=1 k=1
where the fk (b4 ) are polynomials of degree 18, and the βi are the (necessarily
rational) solutions corresponding to {iT10 + jT20 : 0 ≤ i, j ≤ 2} \ {0}. These βi
appear in pairs, which on the level of divisors coincides with the correspondence
between D and −D, and for the same reason one can see that the polynomials
fk ought to be even. We will write fk0 (b4 ) for the polynomial obtained by halving
the exponents of the monomials of fk (b4 ).
13
Performing a straightforward Gröbner basis computation in Q[r, s, t, b1 , . . . , b7 ] will
quickly result in memory issues. Instead, one can first transform Fr0 s0 t0 to the more
generic form x6 + ax4 + bx3 + cx2 + dx + e to suppress the high degrees of r0 , s0 , t0 .
Next, one can compute the Gröbner basis over Fp [a, b, c, d, e, b1 , . . . , b7 ] for many p,
then lift the solution to Q[a, b, c, d, e, b1 , . . . , b7 ] with the Chinese remainder theorem.
27
One can verify that the polynomials fk0 (b4 ) ∈ Q(r, s, t)[b4 ] all have Galois
group (Z3 × Z3 ) o Z∗3 , but the action of Z∗3 originates from a cubic root of unity,
√
and their Galois groups over Q(r, s, t, ζ3 ) are thus Z3 × Z3 . Writing α1 = 3 r1 ,
√ √
α2 = 3 r2 , α3 = 3 r3 , it turns out that they split completely when extending
the field Q(r, s, t, ζ3 ) with {α1 , α2 }, {α1 , α3 }, {α2 , α3 } or {α1 α2 , α1 α3 }. All roots
of one specific fk0 (b4 ) can be obtained from a single given root, by scaling the
cubic roots with powers of ζ3 . On the level of divisors, these associated roots
correspond to adding a linear combination of T10 and T20 . More precisely, if xk
denotes a root of fk0 (b4 ), we can make the following identification:
x1 (ζ3i α1 , ζ3j α2 ) ←→ T30 + iT10 + jT20 for 0 ≤ i, j ≤ 2,

x2 (ζ3i α1 , ζ3j α3 ) ←→ T40 + iT10 + jT20 for 0 ≤ i, j ≤ 2,
x3 (ζ3i α2 , ζ3j α2 ) ←→ T30 + T40 + iT10 + jT20 for 0 ≤ i, j ≤ 2,
x4 (ζ3 α1 α2 , ζ3j α1 α3 )
i
←→ T30 − T40 + iT10 + jT20 for 0 ≤ i, j ≤ 2,
(−3)
for any T30 , T40 that extend hT10 , T20 i to a basis of Jr0 s0 t0 [3]. This correspondence can
be seen from the fact that all fk0 (b4 ) split over different fields, yet T10 and T20 are ra-
tional over the ground field. Furthermore, for any fixed choice of i, j, k ∈ {0, 1, 2},
any two distinct divisors from this correspondence coinciding with the choice
of ζ3i α1 , ζ3j α2 , ζ3k α3 generate a (3, 3)-subgroup that intersects hT10 , T20 i trivially.
Hence, to find the 27 (up to sign) distinct b4 that correspond to a (3, 3)-subgroup
which is the kernel of a good extension relative to the original isogeny, it suffices
to scale the radicands with cubic roots of unity.
In the appendix, we have included two expressions for b4 which we believe
are the easiest amongst the b4 in terms of arithmetic. Alternatively, the formulae
can also be extracted from the code of our hash function from Section 6, which
can be found in our online repository at https://github.com/KULeuven-CO
SIC/Multiradical-Isogenies. One can derive closed algebraic expressions
for bi in function of b4 for i ∈ {1, 2, 3, 5, 6, 7}. However, in practice, it is more
efficient to only partially do this for the easier expressions, and the remainder
by means of a small Gröbner basis computation. Finding the 27 distinct pairs of
tuples (b1 , . . . , b7 ) corresponding to good extensions is done by simply scaling the
radicands in the expressions of the b4 with cubic roots of unity before computing
the rest of the bi .
√
Remark 16. Observe that our formulae involve a factor −3 (called twist), but
this factor disappears when considering the corresponding Mumford coordinates.
Iterated application. Using this new (3, 3)-subgroup hT30 , T40 i as kernel for a
new isogeny is easiest if we first transform Cr0 s0 t0 into an isomorphic curve CRST ,
where T30 and T40 have now taken the role of the T1 and T2 from Section 5.1 again.
This isomorphism allows us to only need to perform the rational transformation
ψ0 (R, S, T ) from Proposition 11 to compute the next isogenous curve. To find
this isomorphism, one can use the construction of [5] that has been implemented
28
in Magma in [22]. This construction makes use of somewhat expensive field
extensions though, and in practice, a Gröbner basis computation is more efficient.
6 Hash function from (3, 3)-isogenies
We can use the (3, 3)-isogenies from the previous section to construct a hash
function similar to the hash function from [9]. We start by describing a general
outline, then present a more in-depth discussion regarding choices that must be
made.
6.1 The graph Gp
For a large prime p, we denote the (directed multi-)graph Gp,3,2 from Section 2.5
as Gp and recall its construction. The vertices are all the Fp2 -isomorphism classes
of superspecial p.p. abelian surfaces, which can always be defined over Fp2 . In
practice we assume p ≡ 2 mod 3 and work with representants A/Fp2 on which
Frobenius acts as multiplication with −p; see [2]. A consequence of this choice is
that A[3] ⊆ A(Fp2 ); indeed, on 3-torsion points Frobenius acts as multiplication
by −p ≡ 1 mod 3. The edges are all possible (3, 3)-isogenies between these p.p.
abelian surfaces (in the sense of Section 2.5), where multiplicities need to be
taken into account. Given that only the superspecial surfaces are considered,
the graph Gp is a directed 40-regular finite multigraph. In order to hash a given
message in this graph, we first choose an arbitrary — yet fixed — starting vertex.
Next, we order the 40 outgoing edges from this vertex according to some fixed
order (e.g., lexicographic), and choose the first 27 to continue with. The message
that needs to be hashed is then converted into a base-3 number, of which the
digits are called trits. We choose to walk along the edge that corresponds to
the three least significant trits of the message towards the next vertex. At this
vertex, we consider the 27 outgoing edges that correspond to (3, 3)-isogenies
whose kernel intersect the kernel of the dual of the previous isogeny trivially.
Now we follow the edge that corresponds to the next three trits of the message.
By excluding the other 13 (3, 3)-isogenies, we avoid trivial cycles in our path by
not (partially or fully) backtracking. This process is repeated until the entire
message has been hashed. As output, an invariant of the resulting p.p. abelian
surface is then returned.
Given that we will have to compute cubic roots in the computations, p should
ideally be chosen such that the valuation of p2 − 1 at 3 is 1 in order to speed
up the computations. In combination with our assumption p ≡ 2 mod 3, this
means we want p ≡ 2, 5 mod 9. Of course, we want p large enough to provide
ample security. The graph Gp was proven to be connected, see for example [31,
Thm. 43]. Even though the graph is not Ramanujan, in the (2, 2)-case it still
exhibits strong expander properties so we assume this to be the case for (3, 3)-
isogenies as well. The set of edges of the graph is of size O(p3 ), of which the
majority consists of p.p. abelian surfaces corresponding to Jacobians of genus-2
curves, and only O(p2 ) corresponding to products of elliptic curves.
29
√
Remark 17. Since p2 ≡ 1 mod 3 we have −3 ∈ Fp2 . Consequently, we can
ignore the twisting factor −3 from Proposition 11 and identify Jrst /hT1 , T2 i √
with
Jr0 s0 t0 . This comes at the (negligible) expense of carrying an extra factor −3
in our multiradical isogeny formulae (called twist in our code); see Remark 16.
6.2 Starting p.p. abelian surface

It is still an open problem whether one can generate a supersingular elliptic
curve over a large prime field in reasonable time without knowing its endomorph-
ism ring. This knowledge can in fact compromise the security of the associated
cryptographic protocols, see for example [18]. Even though this has not been
explicitly written down yet for superspecial p.p. abelian surfaces, it is not too
far-fetched to assume the knowledge of its endomorphism ring can pose similar
security risks. On the same note, it is not known how to generate a genus-2
curve over a large prime field whose Jacobian is superspecial in reasonable time
without knowing its endomorphism ring. Some exceptional curves are known, see
for example [29, §1]. Note that all of these are curves with many automorphisms,
possibly leading to small collisions at the start of the hash function. Therefore, a
better starting vertex in our graph should be obtained by taking a long enough
random walk in the graph starting from one of these exceptional cases. Given
that the isomorphism classes corresponding to products of elliptic curves repres-
ent a negligible proportion of vertices in Gp for cryptographically large p, we can
assume our starting vertex to be the Jacobian of a genus-2 curve. Furthermore,
we are interested in only 27 of the 40 (3, 3)-subgroups of this Jacobian. Hence
our starting point can be chosen as an (r, s, t)-parametrization from Section 5.1,
where the 27 (3, 3)-subgroups correspond precisely to those that intersect the
(3, 3)-subgroup determined by the (r, s, t)-parametrization trivially. Making this
choice can be seen as having performed a step 0 in the hash function, where
the kernel of the dual isogeny corresponding to this step is determined by this
(r, s, t)-parametrization.
6.3 Genus-2 curves versus products of elliptic curves

Vertices corresponding to the Jacobians of genus-2 curves or the product of
two elliptic curves will of course need to be handled differently with regard to
computing the next edge in our walk. Apart from this internal code distinction,
it is more user-friendly for a hash function to have a fixed size as output. The
isomorphism class of the Jacobians of genus-2 curves can be classified by their
absolute Igusa invariants, which are ordered triplets of elements in Fp2 , whereas
products of elliptic curves are completely determined by an unordered pair of j-
invariants in Fp2 . In order to unify these two types of invariants in one output, we
first note that the number of possible output values is only 3 log p, and not 6 log p
as the absolute Igusa invariants may suggest. If the application for the hash
function is not impeded by taking values in a set that is sparse in a much larger
set, one can apply the following method during the hashing. Whenever we arrive
at a vertex corresponding to a product of elliptic curves, we (deterministically)
30
take one more step in the graph without processing information, to a vertex
corresponding to the Jacobian of a genus-2 curve again. Alternatively, if one
only wants an output of the same length as there is entropy, one needs to choose
a function to reduce both the absolute Igusa invariants as well as the pair of
j-invariants to something of size 3 log p.
6.4 Implementation
We implemented our (3, 3)-hash function in Magma (version 2.26-1) and ran it
on an Intel(R) Xeon(R) CPU E5-2630 v2 @ 2.60GHz with 128 GB of memory.
For every prime size considered we averaged the computation times over 100
random inputs of 1000 bits. A summary of our timed results can be found in
the following table, where we included the timings of the (2, 2)-hash function
from [9] for comparison. The security claims in the table are the same as in [9,
§7.4] and to the best of our knowledge, no advancements have been made in
that area. In particular, the best known classical attack is based on the general
Pollard-ρ attack, whereas the best known quantum attack is based on Grover’s
claw-finding algorithm.
p ≈ 286 p ≈ 2128 p ≈ 2171 p ≈ 2256

bits of classical security 128 192 256 384
bits of quantum security 86 128 170 256
output bits 516 768 1026 1536
time per bit processed (2, 2) 5.01ms 6.52ms 9.33ms 15.70ms
time per bit processed (3, 3) (this work) 4.70ms 4.87ms 5.54ms 6.36ms
To understand why the (3, 3)-hash function scales much better than the (2, 2)-
hash function, we take a look at the decomposition of the computation cost in
the following table.
p ≈ 286 p ≈ 2128 p ≈ 2171 p ≈ 2256

1) Tate pairings (cubic roots) 7.0% 8.5% 11.2% 14.3%
2) Compute b4 ’s (arithmetic) 20.5% 18.9% 18.9% 17.0%
3) Find other bi ’s (two GCD’s) 16.4% 15.9% 15.8% 15.2%
4) Reparametrize r, s, t (Gröbner basis) 54.6% 55.3% 52.7% 52.2%
5) Isogenous curve (arithmetic) 1.5% 1.4% 1.4% 1.3%
As p grows, the degrees of the polynomials involved in steps 3 and 4 in this

table don’t change, hence the complexity of these steps depends only on the
arithmetic of the field Fp2 . Asymptotically, root finding over finite fields Fp2 for
large p, e.g., with the Tonelli–Shanks algorithm, scales a lot worse than addition
and multiplication. Therefore, in the (3, 3)-hash function step 1 in the table takes
up a larger relative amount of work as p grows. For p large enough, this part of
the computation will dominate the total cost. In the (2, 2)-hash function on the
other hand, the computation is already heavily dominated by the three (square)
roots for small p, with only a handful of basic arithmetic operations.
31
Furthermore, the valuation of p2 − 1 at N determines the complexity of
finding an N th root of an element in Fp2 , see for instance [17, Thm. 1]. One can
choose p such that 9 - p2 − 1 but at the very least we always have 8 | p2 − 1,
which means cubic roots can be computed significantly faster than square roots.
In practice, Magma can compute cubic roots over Fp2 faster than square roots
with a factor of about 2.7 for large enough p.
Additionally, for every three computed roots, the (3, 3)-hash function can
process 3 trits, whereas the (2, 2)-hash function can only process 3 bits. Asymp-
totically we can thus expect the (3, 3)-hash function to outperform the (2, 2)-hash
function by a total factor of 2.7 · (3/2)3 ≈ 9. For Fp2 with p = 21024 + 643 for
example, we see that (2, 2)-hashing a 100-bit message takes about 20.4 seconds,
whereas (3, 3)-hashing a 100-bit message takes about 2.26 seconds.
References
[1] Iurie Boreico. My favorite problem – linear independence of radicals. In The
Harvard College Mathematics Review, volume 2, pages 87–92. 2008.
[2] Bradley W. Brock. Superspecial curves of genera two and three. PhD thesis,
Princeton University, 1993.
[3] Reinier Bröker, Everett W. Howe, Kristin E. Lauter, and Peter Stevenhagen.
Genus-2 curves and Jacobians with a given number of points. LMS Journal of
Computation and Mathematics, 18(1):170–197, 2015.
[4] Nils Bruin and Kevin Doerksen. The arithmetic of genus two curves with (4, 4)-
split Jacobians. Canadian Journal of Mathematics, 63(5):992–1021, 2011.
[5] Nils Bruin, E. Victor Flynn, and Damiano Testa. Descent via (3, 3)-isogeny on
Jacobians of genus 2 curves. Acta Arithmetica, 165(3):201–223, 2014.
[6] Peter Bruin. The Tate pairing for abelian varieties over finite fields. Journal de
Théorie des Nombres de Bordeaux, 23(2):323–328, 2011.
[7] Frank Calegari, Shiva Chidambaram, and David P. Roberts. Abelian surfaces with
fixed 3-torsion. In Proceedings of ANTS-XIV, volume 4 of Open Book Series, pages
91–108. Mathematical Sciences Publishers, 2020.
[8] David G. Cantor. On the analogue of the division polynomials for hyperelliptic
curves. Journal für die reine und angewandte Mathematik, 447(1994):91–146,
1994.
[9] Wouter Castryck, Thomas Decru, and Benjamin Smith. Hash functions from
superspecial genus-2 curves using Richelot isogenies. Journal of Mathematical
Cryptology, 14(1):268–292, 2020.
[10] Wouter Castryck, Thomas Decru, and Frederik Vercauteren. Radical isogenies. In
Proceedings of Asiacrypt 2020 Part II, volume 12492 of Lecture Notes in Computer
[11] Wouter Castryck, Tanja Lange, Chloe Martindale, Lorenz Panny, and Joost
Renes. CSIDH: An efficient post-quantum commutative group action. In Pro-
ceedings of Asiacrypt 2018 Part III, volume 11274 of Lecture Notes in Computer
[12] Denis X. Charles, Kristin E. Lauter, and Eyal Z. Goren. Cryptographic hash
functions from expander graphs. Journal of Cryptology, 22(1):93–113, 2009.
[13] Daniel Coray and Constantin Manoil. On large Picard groups and the Hasse
principle for curves and K3 surfaces. Acta Arithmetica, 76:165–189, 1996.
32
[14] Jean-Marc Couveignes. Hard homogeneous spaces. Cryptology ePrint Archive,
available at https://eprint.iacr.org/2006/291, 2006.
[15] Pierre Deligne and Michael Rapoport. Les schémas de modules de courbes ellipt-
iques. In Modular functions of one variable, II (Proceedings of the International
Summer School, University of Antwerp, 1972), volume 349 of Lecture Notes in
Mathematics, pages 143–316. Springer, 1973.
[16] Martin Djukanović. Families of (3, 3)-split jacobians. Cornell University arXiv,
available at https://arxiv.org/abs/1811.10075, 2018.
[17] Javad Doliskani and Éric Schost. Taking roots over high extensions of finite fields.
Mathematics of Computation, 83(285):435–446, 2014.
[18] Kirsten Eisenträger, Sean Hallgren, Kristin Lauter, Travis Morrison, and Chris-
tophe Petit. Supersingular isogeny graphs and endomorphism rings: reductions
and solutions. In Proceedings of Eurocrypt 2018, volume 10822 of Lecture Notes
in Computer Science, pages 329–368. Springer, 2018.
[19] Gerd Faltings and Ching-Li Chai. Degeneration of Abelian Varieties, volume 22
of Ergebnisse der Mathematik und ihrer Grenzgebiete 3. Folge. Springer, 1990.
[20] Enric Florit and Benjamin Smith. Automorphisms and isogeny graphs of abelian
varieties, with applications to the superspecial Richelot isogeny graph. Cornell
University arXiv, available at https://arxiv.org/abs/2101.00919, 2020.
[21] E. Victor Flynn. Descent via (5, 5)-isogeny on Jacobians of genus 2 curves. Journal
of Number Theory, 153:270–282, 2015.
[22] E. Victor Flynn and Yan Bo Ti. Genus two isogeny cryptography. In Proceedings
of PQCrypto 2019, volume 11505 of Lecture Notes in Computer Science, pages
286–306. Springer, 2019.
[23] Gerhard Frey and Ernst Kani. Curves of genus 2 covering elliptic curves and
an arithmetical application. In Proceedings of Arithmetic Algebraic Geometry,
volume 89 of Progress in Mathematics, pages 153–176. Springer, 1991.
[24] Gerhard Frey and Hans-Georg Rück. A remark concerning m-divisibility and the
discrete logarithm in the divisor class group of curves. Mathematics of Computa-
tion, 62(206):865–874, 1994.
[25] Steven D. Galbraith, Sachar Paulus, and Nigel P. Smart. Arithmetic on superel-
liptic curves. Mathematics of Computation, 71(237):393–405, 2002. (The cited the-
orem refers to a preliminary version of this paper, published as Hewlett-Packard
Labs technical report HPL-98-179, available at https://www.hpl.hp.com/techr
eports/98/HPL-98-179.pdf).
[26] Pierrick Gaudry and Éric Schost. Modular equations for hyperelliptic curves.
Mathematics of Computation, 74(249):429–454, 2005.
[27] Genevieve Hanlon. Counting points in Sp(2n, Fq )/maximal parabolic subgroup.
Course notes available at http://www-math.mit.edu/~dav/symplectic parabol
ic.pdf, 2005.
[28] Florian Hess. A note on the Tate pairing of curves over finite fields. Archiv der
Mathematik, 82:28–32, 2004.
[29] Tomoyoshi Ibukiyama, Toshiyuki Katsura, and Frans Oort. Supersingular curves
of genus two and class numbers. Compositio Mathematica, 57(2):127–152, 1986.
[30] Sorina Ionica. Pairing-based methods for Jacobians of genus 2 curves with max-
imal endomorphism ring. Journal of Number Theory, 133(11):3755–3770, 2013.
[31] Bruce W. Jordan and Yevgeni Zaytman. Isogeny graphs of superspecial abelian
varieties and Brandt matrices. Cornell University arXiv, available at https:
//arxiv.org/abs/2005.09031, 2021.
[32] Ernst Kani. The number of curves of genus two with elliptic differentials. Journal
für die reine und angewandte Mathematik, 485:93–122, 1997.
33
[33] Robert M. Kuhn. Curves of genus 2 with split Jacobian. Transactions of the
American Mathematical Society, 307(1):41–49, 1988.
[34] James S. Milne. Abelian varieties. In Arithmetic geometry (Storrs, Conneticut,
1984), pages 103–150. Springer, New York, 1986.
[35] David Mumford. Abelian varieties, volume 5 of Tata Institute of Fundamental
Research Studies in Mathematics. 2008. With appendices by C. P. Ramanujam
and Yuri Manin, Corrected reprint of the second (1974) edition.
[36] David Mumford, John Fogarty, and Frances Kirwan. Geometric invariant theory,
volume 34 of Ergebnisse der Mathematik und ihrer Grenzgebiete 2. Folge. Springer,
1994. Third enlarged edition.
[37] David E. Rohrlich. Modular curves, Hecke correspondence, and L-functions. In
Modular forms and Fermat’s last theorem, pages 41–100. Springer, 1997.
[38] Tony Shaska. Genus 2 fields with degree 3 elliptic subfields. Forum Mathematicum,
16:263–280, 2004.
[39] Samir Siksek. Explicit arithmetic of modular curves. Summer school notes, avail-
able at https://homepages.warwick.ac.uk/staff/S.Siksek/teaching/modcur
ves/lecturenotes.pdf, 2019.
[40] Benjamin Smith. Explicit endomorphisms and correspondences. PhD thesis, Uni-
versity of Sydney, 2005.
[41] The Stacks project authors. The Stacks project. Available at https://stacks.m
ath.columbia.edu, 2021.
[42] Anton Stolbunov. Public-key encryption based on cycles of isogenous elliptic
curves. Master’s thesis, Saint-Petersburg State Polytechnical University, 2004. In
Russian.
[43] Marco Streng. Generators of the group of modular units for Γ1 (N ) over the
rationals. Cornell University arXiv, available at https://arxiv.org/abs/1503.0
8127v2, 2015.
[44] Katsuyuki Takashima. Efficient algorithms for isogeny sequences and their cryp-
tographic applications. In T. Takagi et al., editor, Mathematical Modelling for
Next-Generation Cryptography. Mathematics for Industry, volume 29, pages 97–
114, Singapore, 2018. Springer.
[45] Jacques Vélu. Isogénies entre courbes elliptiques. Comptes-Rendus de l’Académie
des Sciences, Série I, 273:238–241, 1971.
Appendix: code for 3-torsion
The following is the Magma code that accompanies Section 5.2. The formulae
can be extracted as part of the hash function code found in our online repository
at https://github.com/KULeuven-COSIC/Multiradical-Isogenies, but we
deem the formulae important enough to be displayed in the appendix as well.
The variables r,s,t in the code represent the domain of the (3, 3)-isogeny,
whereas R,S,T represent the codomain.14 The variables a,b,c represent cubic
roots of factors of the Tate pairings. The variables b4ab and b4bc represent
solutions for b4 in (9). Note that we work with b4 instead of b5 since in practice
14
Remark that we want the codomain curve to have small integer parameters, so in
the code these are defined first, after which we use the dual isogeny to compute the
more elaborate rational parameters of the domain curve.
34
we want to be able to distinguish between a divisor and its opposite. From
these two solutions for b4 , we compute a Gröbner basis to find solutions for the
other coefficients bi . Note that the formulae are general, but Magma struggles
to work over a degree-54 extension of a function field in 3 variables. Hence,
to make the code work standalone, we opted to work with a concrete example
where (R, S, T ) = (2, 5, −3). To verify the formulae in general, one works over
Q(R, S, T ) and adjoin only the cubic roots a,b, for example. Then, one checks
that one of the degree-18
Q3 Q3factors from the minimal polynomial of b4 coincides
with the product i=1 j=1 (x2 − b4 (ζ3i a, ζ3j b)), where the product ranges over
all possible cubic roots a,b.
clear;
Q := Rationals();
R := 2; S := 5; T := -3;
Qx<x> := PolynomialRing(Q);
Q<twist> := ext<Q | x^2 + 3>;
Qx<x> := PolynomialRing(Q);
D1 := T;
D2 := S;
D3 := S*T + 1;
D4 := R^3 - 3*R*T + T^2 + T;
D5 := R^3*S - 3*R*S*T + S*T^2 + S*T + T;
D8 := R^2 - T;
D9 := R - 1;
D10 := R*S - S*T - 1;
D11 := S*T - S + 1;
DELTA := R^6*S^2 - 6*R^4*S^2*T - 3*R^4*S + 2*R^3*S^2*T^2 + 2*R^3*S^2*T
+ 3*R^3*S*T + R^3*S + R^3 + 9*R^2*S^2*T^2 + 6*R^2*S*T
- 6*R*S^2*T^3 - 6*R*S^2*T^2 - 9*R*S*T^2 - 3*R*S*T - 3*R*T + S^2*T^4
+ 2*S^2*T^3 + S^2*T^2 + 2*S*T^3 + 3*S*T^2 + T^2 + T;
r := -D2*D9*D8*(D5-R)/(D10^2*D4);
s := D10^3*D4^2/(D1*D2*D9^3*DELTA);
t := D2^2*D9^3*D8^3/(D10^3*D4^2);
d1 := t;
d2 := s;
d4 := r^3 - 3*r*t + t^2 + t;
d6 := r^3*s^2 - 3*r*s^2*t - 3*r*s + s^2*t^2 + s^2*t + 2*s*t + s + 1;
d7 := r^3*s^2*t + r^3*s - 3*r*s^2*t^2 - 3*r*s*t + s^2*t^3 + s^2*t^2 + 2*s*t^2 + t;
Q<a> := ext<Q | x^3 - d7>;

Q<b> := ext<Q | x^3 - d2*d4^2>;
Q<c> := ext<Q | x^3 - d1*d6^2>;
cofab1 := D1^2 *D4^4 *D10^8 /(D2^3*D8^6*D9^2*DELTA^2);

cofab2 := D1^2 *D4^4*D8 *D10^7 *D11 /(D2^2*D8^6*D9^2*DELTA^2);
cofab3 := D1 *D4^4*D8^2*D10^6 /(D2 *D8^6*D9^2*DELTA^2);
cofab4 := D1^2 *D4^2* D10^5 *D11 /(D2^2*D8^4*D9 *DELTA);
cofab5 := D1 *D4^2*D8* D10^4 /(D2 *D8^4*D9 *DELTA);
cofab6 := D1 *D3 *D4^2*D8^2*D10^3 /( D8^4*D9 *DELTA);
cofab7 := D1^2 *D10^2 / D8^2;
cofab8 := D1 *D10 / D8;
cofab9 := D11;
cofab1 *:= -6*S*T-2;

cofab2 *:= -2;
cofab3 *:= 6*S*T+4;
cofab4 *:= 2;
cofab5 *:= -6*S*T-2;
cofab6 *:= -6;
cofab7 *:= 6;
cofab8 *:= 6*S*T+4;
35
cofab9 *:= 2*S*T+1;
b4ab := twist* ((cofab9 + cofab8*a + cofab7*a^2) + (cofab6 + cofab5*a + cofab4*a^2)*b

+ (cofab3 + cofab2*a + cofab1*a^2)*b^2);
cofbc1 := 1 /(D2 *D4^3);

cofbc2 := D1^2 *D9 *D10 /(D2 *D4^3 *D8);
cofbc3 := D1^3 *D9^2*D10^2 /(D2 *D4^3*D5 *D8^2);
cofbc4 := D1 *D10^3 /(D2^2*D4 *D8^2*D9 *DELTA);
cofbc5 := D1^2 *D10^4 /(D2^2*D4 *D8^3 *DELTA);
cofbc6 := D1^3 *D9 *D10^5 /(D2^2*D4 *D5 *D8^4 *DELTA);
cofbc7 := D1 *D4 *D10^6 /(D2^3 *D8^4*D9^2*DELTA^2);
cofbc8 := D1^2*D4 *D10^7 /(D2^3 *D8^5*D9 *DELTA^2);
cofbc9 := D1^4*D4 *D10^8 /(D2^3 *D5 *D8^6 *DELTA^2);
cofbc1 *:= R^9*S^2*T + R^9*S^2 - R^9*S - 6*R^8*S^2*T - 3*R^7*S^2*T^2 - 3*R^7*S^2*T

- 5*R^7*S*T + R^6*S^2*T^3 + 40*R^6*S^2*T^2 + R^6*S^2*T + 13*R^6*S*T^2 + 13*R^6*S*T
- 2*R^6*T - 21*R^5*S^2*T^3 - 21*R^5*S^2*T^2 + 3*R^5*S*T^2 + 6*R^4*S^2*T^4 - 54*R^4*S^2*T^3
+ 6*R^4*S^2*T^2 - 52*R^4*S*T^3 - 52*R^4*S*T^2 - 6*R^4*T^2 - R^3*S^2*T^5 + 64*R^3*S^2*T^4
+ 64*R^3*S^2*T^3 - R^3*S^2*T^2 + 11*R^3*S*T^4 + 103*R^3*S*T^3 + 11*R^3*S*T^2 + 14*R^3*T^3
+ 14*R^3*T^2 - 33*R^2*S^2*T^5 - 48*R^2*S^2*T^4 - 33*R^2*S^2*T^3 - 15*R^2*S*T^4 - 15*R^2*S*T^3
- 18*R^2*T^3 + 9*R*S^2*T^6 + 15*R*S^2*T^5 + 15*R*S^2*T^4 + 9*R*S^2*T^3 + 7*R*S*T^5
- 40*R*S*T^4 + 7*R*S*T^3 - 6*R*T^4 - 6*R*T^3 - S^2*T^7 - 2*S^2*T^6 - 2*S^2*T^5
- 2*S^2*T^4 - S^2*T^3 - 3*S*T^6 + 9*S*T^5 + 9*S*T^4 - 3*S*T^3 - 2*T^5 + 14*T^4 - 2*T^3;
cofbc2 *:= -2*R^7*S + 8*R^6*S - 6*R^5*S + 6*R^5 + 2*R^4*S*T^2 - 22*R^4*S*T - 12*R^4*T
+ 22*R^3*S*T^2 + 28*R^3*S*T + 6*R^3*T - 18*R^2*S*T^3 - 24*R^2*S*T^2 - 6*R^2*S*T
+ 6*R^2*T^2 - 12*R^2*T + 4*R*S*T^4 + 20*R*S*T^3 - 2*R*S*T^2 + 6*R*T^3 + 6*R*T^2 -
4*S*T^4 - 2*S*T^3 + 2*S*T^2 - 12*T^3 + 6*T^2;
cofbc3 *:= 2*R^8*S - 6*R^7*S + 4*R^6*S*T - 8*R^5*S*T^2 + 16*R^5*S*T + 6*R^5*T
- 30*R^4*S*T^2 - 12*R^4*T + 44*R^3*S*T^3 + 14*R^3*S*T^2 + 6*R^3*T^2 - 10*R^2*S*T^4
- 32*R^2*S*T^3 - 22*R^2*S*T^2 - 12*R^2*T^3 + 6*R^2*T^2 - 6*R*S*T^4 + 36*R*S*T^3
+ 6*R*S*T^2 + 6*R*T^3 + 6*R*T^2 + 4*S*T^5 - 4*S*T^4 - 8*S*T^3 + 6*T^4 - 12*T^3;
cofbc4 *:= 2*R^9*S^2 - 2*R^8*S^2*T - 4*R^8*S^2 + 4*R^8*S - 8*R^7*S^2*T + 2*R^7*S^2
- 10*R^7*S + 16*R^6*S^2*T^2 + 26*R^6*S^2*T - 4*R^5*S^2*T^3 - 18*R^5*S^2*T^2 - 20*R^5*S^2*T
- 10*R^5*S*T^2 + 32*R^5*S*T + 6*R^5*T - 22*R^4*S^2*T^3 - 24*R^4*S^2*T^2 + 4*R^4*S^2*T
- 38*R^4*S*T^2 - 2*R^4*S*T - 12*R^4*T + 14*R^3*S^2*T^4 + 72*R^3*S^2*T^3 + 40*R^3*S^2*T^2
+ 60*R^3*S*T^3 + 6*R^3*S*T^2 + 6*R^3*T^2 - 2*R^2*S^2*T^5 - 32*R^2*S^2*T^4 - 64*R^2*S^2*T^3
- 16*R^2*S^2*T^2 - 14*R^2*S*T^4 - 40*R^2*S*T^3 - 26*R^2*S*T^2 - 12*R^2*T^3 + 6*R^2*T^2
+ 4*R*S^2*T^5 + 22*R*S^2*T^4 + 20*R*S^2*T^3 + 2*R*S^2*T^2 - 10*R*S*T^4 + 52*R*S*T^3
+ 8*R*S*T^2 + 6*R*T^3 + 6*R*T^2 - 2*S^2*T^5 - 4*S^2*T^4 - 2*S^2*T^3 + 6*S*T^5
- 6*S*T^4 - 12*S*T^3 + 6*T^4 - 12*T^3;
cofbc5 *:= -2*R^7*S + 4*R^6*S*T + 4*R^6*S - 2*R^6 - 6*R^5*S*T - 10*R^4*S*T^2 - 10*R^4*S*T
- 6*R^4*T + 2*R^3*S*T^3 + 46*R^3*S*T^2 + 2*R^3*S*T + 14*R^3*T^2 + 14*R^3*T - 24*R^2*S*T^3
- 24*R^2*S*T^2 - 18*R^2*T^2 + 10*R*S*T^4 + 2*R*S*T^3 + 10*R*S*T^2 - 6*R*T^3 - 6*R*T^2
- 2*S*T^5 - 2*S*T^2 - 2*T^4 + 14*T^3 - 2*T^2;
cofbc6 *:= 2*R^8*S - 6*R^7*S*T + 4*R^6*S*T + 16*R^5*S*T^2 - 8*R^5*S*T + 6*R^5*T
- 30*R^4*S*T^2 - 12*R^4*T^2 + 14*R^3*S*T^3 + 44*R^3*S*T^2 + 6*R^3*T^2 - 22*R^2*S*T^4
- 32*R^2*S*T^3 - 10*R^2*S*T^2 + 6*R^2*T^3 - 12*R^2*T^2 + 6*R*S*T^5 + 36*R*S*T^4
- 6*R*S*T^3 + 6*R*T^4 + 6*R*T^3 - 8*S*T^5 - 4*S*T^4 + 4*S*T^3 - 12*T^4 + 6*T^3;
cofbc7 *:= 2*R^9*S^2 - 4*R^8*S^2*T - 2*R^8*S^2 + 4*R^8*S + 2*R^7*S^2*T^2 - 8*R^7*S^2*T
- 10*R^7*S*T + 26*R^6*S^2*T^2 + 16*R^6*S^2*T - 20*R^5*S^2*T^3 - 18*R^5*S^2*T^2 - 4*R^5*S^2*T
+ 32*R^5*S*T^2 - 10*R^5*S*T + 6*R^5*T + 4*R^4*S^2*T^4 - 24*R^4*S^2*T^3 - 22*R^4*S^2*T^2
- 2*R^4*S*T^3 - 38*R^4*S*T^2 - 12*R^4*T^2 + 40*R^3*S^2*T^4 + 72*R^3*S^2*T^3 + 14*R^3*S^2*T^2
+ 6*R^3*S*T^3 + 60*R^3*S*T^2 + 6*R^3*T^2 - 16*R^2*S^2*T^5 - 64*R^2*S^2*T^4 - 32*R^2*S^2*T^3
- 2*R^2*S^2*T^2 - 26*R^2*S*T^4 - 40*R^2*S*T^3 - 14*R^2*S*T^2 + 6*R^2*T^3 - 12*R^2*T^2
+ 2*R*S^2*T^6 + 20*R*S^2*T^5 + 22*R*S^2*T^4 + 4*R*S^2*T^3 + 8*R*S*T^5 + 52*R*S*T^4
- 10*R*S*T^3 + 6*R*T^4 + 6*R*T^3 - 2*S^2*T^6 - 4*S^2*T^5 - 2*S^2*T^4 - 12*S*T^5
- 6*S*T^4 + 6*S*T^3 - 12*T^4 + 6*T^3;
cofbc8 *:= -2*R^7*S + 8*R^6*S*T - 6*R^5*S*T^2 + 6*R^5*T - 22*R^4*S*T^2 + 2*R^4*S*T
- 12*R^4*T + 28*R^3*S*T^3 + 22*R^3*S*T^2 + 6*R^3*T^2 - 6*R^2*S*T^4 - 24*R^2*S*T^3
- 18*R^2*S*T^2 - 12*R^2*T^3 + 6*R^2*T^2 - 2*R*S*T^4 + 20*R*S*T^3 + 4*R*S*T^2 + 6*R*T^3
+ 6*R*T^2 + 2*S*T^5 - 2*S*T^4 - 4*S*T^3 + 6*T^4 - 12*T^3;
cofbc9 *:= -8*R^7*S + 10*R^6*S*T + 10*R^6*S - 2*R^6 + 12*R^5*S*T - 40*R^4*S*T^2 - 40*R^4*S*T
- 6*R^4*T + 8*R^3*S*T^3 + 64*R^3*S*T^2 + 8*R^3*S*T + 14*R^3*T^2 + 14*R^3*T - 6*R^2*S*T^3
- 6*R^2*S*T^2 - 18*R^2*T^2 + 4*R*S*T^4 - 28*R*S*T^3 + 4*R*S*T^2 - 6*R*T^3 - 6*R*T^2
- 2*S*T^5 + 6*S*T^4 + 6*S*T^3 - 2*S*T^2 - 2*T^4 + 14*T^3 - 2*T^2;
b4bc := twist* ((cofbc1 + cofbc2*c + cofbc3*c^2) + (cofbc4 + cofbc5*c + cofbc6*c^2)*b
36
+ (cofbc7 + cofbc8*c + cofbc9*c^2)*b^2);
Qbi<b1,b2,b3,b5,b6,b7> := PolynomialRing(Q,6);
Qx<x> := PolynomialRing(Qbi);
H1 := x^2 + R*x + T;
lambda1 := 4*S;
G1 := (S - S*T - 1)*x^3 + 3*S*(R - T)*x^2 + 3*S*R*(R - T)*x - S*T^2 + S*R^3 + T;
F := G1^2 + lambda1*H1^3;
bis := [];
for b4 in [b4ab,b4bc] do
Fbi := (b4*x^3 + b3*x^2 + b2*x + b1)^2 + b7*(x^2 + b6*x + b5)^3;
I := {Eltseq(F)[i] - Eltseq(Fbi)[i] : i in [1..7]};
GB := GroebnerBasis(I);
roots := [Roots(UnivariatePolynomial(GB[i]))[1][1] : i in [1..6]];
bi := roots[1..3] cat [b4] cat roots[4..6];
Append(~bis, bi);
end for;
C := HyperellipticCurve(F);
J := Jacobian(C);
for bi in bis do
T := J ! [Qx ! (bi[5..6] cat [1]), Qx ! bi[1..4]];
assert 3*T eq J ! 0;
end for;
37
Curriculum vitae
Thomas Decru was a professional poker player for half a decade after finishing
high school. He obtained his BSc in mathematics from KU Leuven in 2016, and
his MSc in mathematics from KU Leuven in 2018. His master thesis research was
done under supervision of Professor Bart Preneel, Professor Fréderik Vercauteren
and Doctor Wouter Castryck. He joined the Cosic research group at KU Leuven
in pursuit of a PhD regarding the same topic as his master thesis. During his
PhD, he also successfully passed the majority of the courses required to obtain
his MSc in educational studies in science and technology.
207
FACULTY OF ENGINEERING SCIENCE
DEPARTMENT OF ELECTRICAL ENGINEERING
COSIC, RESEARCH GROUP AT IMEC AND KU LEUVEN
Kasteelpark Arenberg 10/2452
B-3001 Leuven
thomas.decru@esat.kuleuven.be

Thesis 437

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Thesis 437

Uploaded by

Copyright:

Available Formats

ARENBERG DOCTORAL SCHOOL

Faculty of Engineering Science

Aspects of elliptic and

Supervisors: Dissertation presented in partial

Examination committee: Dissertation presented in partial

our field: https://www.ams.org/profession/leaders/CultureStatement04.pdf

All currently-used public-key cryptographic protocols may be deemed worthless

Alle hedendaagse cryptografische protocollen gebaseerd op publieke sleutels

nemen dat dit ook zo is voor isogenie-gebaseerde cryptografie. We herstellen de

B-SIDH Supersingular Isogeny Diffie–Hellman using twisted torsion. 45

ECDH Elliptic Curve Diffie–Hellman. 6–8

NIST National Institute of Standards and Technology. xv, 7, 9–14, 30

SeaSign CSIDH-based Signature. iii, 9, 15

TLS Transport Layer Security. 7

List of Abbreviations vii

List of Figures xiii

Part I Isogeny-based cryptography 1

2.1.1 Abelian varieties . . . . . . . . . . . . . . . . . . . . . . 20

Chapter 3: Isogenies between elliptic curves 35

Chapter 4: (N, N )-isogenies between two-dimensional abelian vari-

Chapter 5: Concluding remarks and summary of contributions 57

Chapter 6: SeaSign 2.0 75

Chapter 7: Superspecial (2,2)-hash functions 91

Chapter 8: CSURF 119

Chapter 9: Radical isogenies 139

Chapter 10: Multiradical isogenies and superspecial (3,3)-hash func-

Curriculum vitae 207

1.1 Illustration of the elliptic curve group law . . . . . . . . . . . . 5

2.1 Supersingular 2-isogeny graph in the SIDH setting over F2772 . 27

1.1 Key size comparison of NIST’s Round 3 candidates for post-

It is my intent to show that

1.1 The history of elliptic curve cryptography

where a1 , a2 , a3 , a4 , a6 ∈ K, together with one point at infinity. This equation

elliptic curve takes a little bit of mathematical machinery. For a proof on an

1.2 Post-quantum cryptography

graph based on isogenies between supersingular elliptic curves could also be

particular - in the next section.

1.3 Strengths & weaknesses of isogeny-based cryp-

NIST level 1 NIST level 3 NIST level 5

not encourage overconfidence.” [5].

NIST level 1 NIST level 3 NIST level 5

1.4 Research problems and overview of the thesis

to distinguish between different methods of speeding up an isogeny-based

4. Wouter Castryck and Thomas Decru and Frederik Vercauteren (2020).

Algebraic geometry seems to have

Isogeny-based cryptography is located on the intersection of algebraic geometry

2.1 Mathematical background

2.1.1 Abelian varieties

In general, we consider an algebraic variety A/K over a field K to be projective,

Definition 1. An abelian variety A/K over a field K is an algebraic variety

A polarization of an abelian variety A is a surjective nonzero homomorphism

In Example 1, a divisor class D ∈ Jac(C) over a perfect field K (i.e. K/K is

curves over K or the Jacobian of a hyperelliptic curve of genus 2 over K. In the

The definition of isogeny is not necessarily restricted to principally polarized

Since an isogeny ϕ : A → B is surjective, there is a morphism K(B) → K(A) of

For every separable isogeny ϕ : A → B, there exists an isogeny called the

h·, ·iN : A[N ] × A[N ] → Z/N Z, (D1 , D2 ) → logζN eN (D1 , D2 ).

A subgroup G ⊆ A[N ] is called isotropic if hD1 , D2 i = 0 for all D1 , D2 ∈ G,

Example 5. Let E/K be an elliptic curve defined by the equation y 2 = (x −

The notion of superspecial abelian varieties in the context of isogeny-based

An elliptic curve that is not supersingular is called ordinary. Up to isomorphism,

1. A is called ordinary iff A[p] = (Z/pZ)g ;

We will call a curve ordinary, very special, supersingular or superspecial if