PEGASIS: Practical Effective Class Group Action using 4-Dimensional Isogenies

Pierrick Dartois; Jonathan Komada Eriksen; Tako Boris Fouotsa; Arthur Herlédan Le Merdy; Riccardo Invernizzi; Damien Robert; Ryan Rueger; Frederik Vercauteren; Benjamin Wesolowski

Paper 2025/401

PEGASIS: Practical Effective Class Group Action using 4-Dimensional Isogenies

Pierrick Dartois

, Inria Bordeaux - Sud-Ouest Research Centre

Jonathan Komada Eriksen

, KU Leuven

Tako Boris Fouotsa

, École Polytechnique Fédérale de Lausanne

Arthur Herlédan Le Merdy

, École Normale Supérieure de Lyon

Riccardo Invernizzi

, KU Leuven

Damien Robert

, Inria Bordeaux - Sud-Ouest Research Centre

Ryan Rueger

, IBM Research - Zurich

Frederik Vercauteren, KU Leuven

Benjamin Wesolowski

, École Normale Supérieure de Lyon

Abstract

In this paper, we present the first practical algorithm to compute an effective group action of the class group of any imaginary quadratic order $\mathcal{O}$ on a set of supersingular elliptic curves primitively oriented by $\mathcal{O}$. Effective means that we can act with any element of the class group directly, and are not restricted to acting by products of ideals of small norm, as for instance in CSIDH. Such restricted effective group actions often hamper cryptographic constructions, e.g. in signature or MPC protocols. Our algorithm is a refinement of the Clapoti approach by Page and Robert, and uses $4$-dimensional isogenies. As such, it runs in polynomial time, does not require the computation of the structure of the class group, nor expensive lattice reductions, and our refinements allows it to be instantiated with the orientation given by the Frobenius endomorphism. This makes the algorithm practical even at security levels as high as CSIDH-4096. Our implementation in SageMath takes 1.5s to compute a group action at the CSIDH-512 security level, 21s at CSIDH-2048 level and around 2 minutes at the CSIDH-4096 level. This marks the first instantiation of an effective cryptographic group action at such high security levels. For comparison, the recent KLaPoTi approach requires around 200s at the CSIDH-512 level in SageMath and 2.5s in Rust.

Metadata

Available format(s): PDF
Category: Public-key cryptography
Publication info: Preprint.
Keywords: Isogenies Group Action
Contact author(s): pierrick dartois @ inria fr
jonathan eriksen97 @ gmail com
fouotsabcrb @ gmail com
arthur herledan_le_merdy @ ens-lyon fr
riccardo invernizzi @ esat kuleuven be
damien robert @ inria fr
ryan @ rueg re
frederik vercauteren @ gmail com
benjamin wesolowski @ ens-lyon fr
History: 2025-03-04: approved; 2025-03-03: received; See all versions
Short URL: https://ia.cr/2025/401
License: CC BY

BibTeX

@misc{cryptoeprint:2025/401,
      author = {Pierrick Dartois and Jonathan Komada Eriksen and Tako Boris Fouotsa and Arthur Herlédan Le Merdy and Riccardo Invernizzi and Damien Robert and Ryan Rueger and Frederik Vercauteren and Benjamin Wesolowski},
      title = {{PEGASIS}: Practical Effective Class Group Action using 4-Dimensional Isogenies},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/401},
      year = {2025},
      url = {https://eprint.iacr.org/2025/401}
}