5

In “Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies” by DeFeo, Jao and Plut (PDF), the public parameters are defined as:

  1. Supersingular curve $E$, and
  2. bases $P, Q$ generating the torsion subgroup $E[l]$ respectively for Alice and Bob.

The parameters for the key exchange generated by Alice would be:

  • Random elements $m, n$.
  • The isogeny with kernel $K := \langle[m]P + [n]P\rangle$.
  • Some other stuff beyond this question…

So the question is:

Why does it not suffice to generate the torsion subgroup (respectively the isogeny, defined by kernel) with just one point $P$? Taken the subgroup $\langle P\rangle = E[x]$ i could also generate an isogeny. Also the final isogeny could be generated by Bob using only $\mathit{Alice}'$ resulting curve $E_{\mathit{Alice}}$ and the image of the the point $P_{\mathit{Alice}}$ as well as Bobs secret parameters.

yyyyyyy
  • 12,261
  • 4
  • 48
  • 68
Fleeep
  • 512
  • 2
  • 12

1 Answers1

3

Found the answer:

The $l$-torsion subgroup is isomorphic to a direct sum of two quotient groups: $E[l] \simeq \mathbb{Z}_n \oplus \mathbb{Z}_n$, hence the basis requires two points and the elements of $E[l]$ are represented by linear combinations of such a basis. [Reference: Elliptic Curves, Washington, section 3.1]

yyyyyyy
  • 12,261
  • 4
  • 48
  • 68
Fleeep
  • 512
  • 2
  • 12