The Isogeny to Endomorphism Ring Problem (IsERP) asks to compute the endomorphism ring of the codomain of an isogeny between supersingular curves in characteristic $p$ given only a representation for this isogeny, i.e. some data and an algorithm to evaluate this isogeny on any torsion point. This problem plays a central role in isogeny-based cryptography; it underlies the security of pSIDH protocol (ASIACRYPT 2022) and it is at the heart of the recent attacks that broke the SIDH key exchange. Prior to this work, no efficient algorithm was known to solve IsERP for a generic isogeny degree, the hardest case seemingly when the degree is prime. In this paper, we introduce a new quantum polynomial-time algorithm to solve IsERP for isogenies whose degrees are odd and have $O(\log\log p)$ many prime factors. As main technical tools, our algorithm uses a quantum algorithm for computing hidden Borel subgroups, a group action on supersingular isogenies from EUROCRYPT 2021, various algorithms for the Deuring correspondence and a new algorithm to lift arbitrary quaternion order elements modulo an odd integer $N$ with $O(\log\log p)$ many prime factors to powersmooth elements. As a main consequence for cryptography, we obtain a quantum polynomial-time key recovery attack on pSIDH. The technical tools we use may also be of independent interest.

翻译：摘要：同源到自同态环问题（IsERP）要求计算特征$p$下超奇异曲线间同源余域的自同态环，该同源仅给定其表示（即用于在任意挠点上求值的算法与相关数据）。此问题在同源密码学中具有核心地位：它支撑着pSIDH协议（ASIACRYPT 2022）的安全性，同时也是近期攻破SIDH密钥交换攻击的关键。此前研究尚未发现能求解一般次同源（其困难情形似为素数次）IsERP的高效算法。本文提出一种新的量子多项式时间算法，可求解次数为奇数且具有$O(\log\log p)$个素因子的同源对应的IsERP。算法核心技术包括：计算隐藏Borel子群的量子算法、EUROCRYPT 2021提出的超奇异同源群作用、Deuring对应的多种算法，以及将模具有$O(\log\log p)$个素因子的奇数$N$的任意四元数环元素提升为幂光滑元素的新算法。作为密码学主要推论，我们获得了针对pSIDH的量子多项式时间密钥恢复攻击。文中使用的技术工具亦可能具有独立研究价值。