Isogenies and Cryptography Jana Sotáková Abstract: I come from a generation that grew up with the smartphone. The small gadget has been in my hand for almost 20 years, and has been my primary source of communication with the world. Not just talking to my family and friends, but my affairs are increasingly handled through my phone. I opened my bank account by walking into the branch office near my home, but that office is long gone and all my finances are handled via the app. The government in the Netherlands also uses an electronic identity, so any official business the government wants with me happens over the internet. And while my first tax experience in the Netherlands was with the legendary 80-page paper M-form, all my other tax returns were handled electronically, and I would not know how to do my civic duty any other way. In a world in which it is impossible to disconnect and we are forced to handle all our matters online, we need protections for our privacy, as well as protection against abuse and interference by malicious actors. I trusted that the workers in the marble building of my bank were truly authorized to handle my finances, and what we arranged was to remain my private matter. When I talk to my family sitting in the garden, I can look around and decide whether I can share intimate details of my life or whether somebody is listening. When I am connected to the internet, I want the same guarantees. I want my communication to be encrypted: protected with an extra coating that guarantees that nobody else can read (or even stronger protections, so nobody can manipulate) my messages. This extra layer is achieved via carefully crafted algorithms. And figuring out what these algorithms should be is the art of cryptography. One might think of cryptography as putting our information in a strong safe. The correct combination will open the safe, but without the correct code, neither a sledgehammer nor dynamite will help you see what is inside. The cryptographic safe is built from mathematical problems, and the dynamite is anything computers can do. We know what mathematical material to use to build our safes so that there is not enough dynamite in the world to damage it. You might think: all this is not unique to the smartphone, we need cryptography for any kind of electronic communication. But the smartphone, to me, is an example of technology that was dreamt of by visionaries 50 years ago, only existed as a barely-practical curiosity 30 years ago, underwent a massive technological boost and by now has changed the world we live in. Another such novel technology that could have even more impact on our lives is quantum computing. This term refers to a new kind of computers that will use different ways to manipulate the ones and zeros that classical computers use. And we already know what some of the impact of quantum computing would be -- bringing about many exciting possibilities. Massive amounts of both public and private money are being spent on making this technology real. The bad news is that should quantum computers become real technology, our current cryptography will not be enough. In the safe analogy, quantum computers would not add extra potency to the dynamite already out there, but rather produce a new substance. Armed with this new substance, we would see the strongest safes opening before our eyes. Post-quantum cryptography is the search for new mathematical problems that will help us build quantum-safe safes. Currently, the cryptographic community is working on preparing the new safes: we have identified potential material (for instance lattices and hash functions) and are in the process of choosing the best designs (standardized by various government agencies and accepted widely by the community). When that is done, we need to test the new safes, and make sure they are deployed widely. All of these tasks require significant effort. But we continue to explore more materials. This is because different people have different requirements for the size and shape of their safes (cryptographic protocols). And because there is always the chance that new attack avenues (different dynamite, or better algorithms) might weaken our preferred safe. In this thesis, we focus on a particular material, isogenies of elliptic curves. We can abstract elliptic curves as simple dots (with extremely rich algebraic structure), and an isogeny is an edge (line segment) connecting two dots, with labels some fixed prime ell (the degree of the connecting isogeny). The resulting isogeny graphs can have very different structure: [figure] The graph on the left is an example of an isogeny volcano: a regular and symmetric graph. The graph on the right exhibits none of this symmetry, and even has the special rapid mixing property that if we start with one dot, then walk following 7 edges at random, will reach any other dot in the graph with roughly the same probability. This does not work for the graph on the left. Cryptographers have built protocols from either of the situations. On the right hand side, if we select two random vertices, finding a path between them in the graph is believed to be a hard problem. In practice, the graph will not have 50 vertices as displayed, but the order of 2^256. Finding a path in the graph is like finding a path in a forest on a moonless night: we can see the neighboring vertices, but not the whole area. One of the chapters of this thesis is devoted to studying these graphs and their mathematical properties. The graphs on the left can also be turned into cryptographic protocols. We can construct these graphs for the same set of elliptic curves for primes ell = 3,5, 7, dots. In most cases, these graphs look like cycles (without the edges sticking out). And for each different prime, the order of the vertices on the cycle will be very different. Hence, one can take a few steps in the graph for ell = 3, jump to the graph for ell = 5, take a few steps there, and repeat this for a number of primes. Miraculously, the resulting walk will have the same properties as in the graph on the right: we will be able to reach any elliptic curve with just a few steps (a few hundred steps, which is very small compared to having 2^256 vertices). Protocols based on this construction are the main focus of this thesis. One instantiation of the setup so roughly described above is the cryptographic protocol CSIDH (pronounced like ``seaside'') by Castryck, Lange, Martindale, Panny, and Renes (2018). We take their schematics for a safe, and study them from several sides. First, we examine the hardness of the mathematical problems they base their protocol on: namely the decisional Diffie--Hellman problem (DDH). We find that the CSIDH protocol is secure, but identify a surprising structure in related protocols, and find many instances in which the DDH problem is not hard. Next, we consider implementation security: we implement the protocol in a way such that the timing of the computation does not reveal any information about the secrets. This is an essential requirement for cryptographic protocols in practice; our software, which we call CTIDH (pronounced ``sea tide''), produces record speeds among the constant-time implementations of CSIDH. Finally, we consider the physical security of the safe: we suppose somebody has access to a device running the computation, and is able to insert a well-timed error in the computation. We show that errors that flip the direction of the step (clockwise or counterclockwise in the cycle on the left) leak too much information, which can be used to reconstruct the secret. Isogeny graphs are one possible material from which to build post-quantum safes. This thesis deepens the understanding of both the mathematical assumptions (the material) and the implementation (how the safe should be built).