Computing isogenies between finite Drinfeld modules

. We prove that isogenies between Drinfeld F q [ x ]-modules over a finite field can be computed in polynomial time. This breaks Drinfeld analogs of isogeny-based cryptosystems.


Introduction
In this paper we prove the following theorem.
Theorem 1.Given an integer n and two Drinfeld F q [x]-modules ϕ and ψ over a finite field L, one can compute an isogeny ι : ϕ → ψ of τ -degree n, or decide that none exists, in polynomial time in n and in the length of the input.More precisely, the set of morphisms from ϕ to ψ of degree at most n is an F q -linear space, of which the algorithm finds a basis.This algorithm breaks Drinfeld analogs of isogeny-based cryptosystems in polynomial time.A first algorithm to compute such isogenies was described in [JN19], also with the aim to break such cryptosystems.However, it was observed in [LS22] that the algorithm of [JN19] has an exponential complexity in n, heuristically.A similar algorithm to [JN19] was independently proposed in [CGS20], together with an analysis that indeed features an exponential dependence in n.That exponential complexity raised new hope that Drinfeldbased cryptosystems could be secure.Such cryptosystems are inspired by isogeny-based cryptosystems on elliptic curves [Cou06, JD11, CLM + 18] (leveraging similarities between elliptic curves and Drinfeld modules), but the attack from the present paper has no known impact on the elliptic curves side.
The strategy we propose in this paper to find isogenies starts similarly to [JN19] and [CGS20], reducing the problem to a system of polynomial equations.In [JN19] and [CGS20], this system is solved by a recursive strategy, resulting in a tree of potential solutions.One can then explore the tree to find actual solutions, but the tree has exponential size, and solutions may be sparse.Instead, we linearise the system of equations, and find the space of all solutions with efficient linear algebra.

Drinfeld modules
Let q be a power of a prime number, and F q the field with q elements.Consider a field extension L/ F q , and the Frobenius endomorphism τ : α → α q of L. The ring of Ore polynomials is the subring L{τ } of F q -linear endomorphisms of L consisting of elements of the form n i=0 α i τ i , E-mail: benjamin.wesolowski@ens-lyon.fr (Benjamin Wesolowski) for arbitrary n ∈ Z ≥0 and α i ∈ L. If α n ̸ = 0, the integer n is called the τ -degree of the polynomial, written deg τ .As soon as L ̸ = F q , the ring is not commutative, as τ α = α q τ for any α ∈ L.
Let k be an extension of F q of transcendance degree 1, with a place ∞, and A its subring of regular functions outside ∞.Given any non-zero ideal a in A, we write deg(a) = log q (#(A /a)).Given any non-zero element a ∈ A, we write deg(a) = deg(a A).Let L be a field equipped with a non-zero ring homomorphism γ : A → L. For ι : ϕ → ψ to be an isogeny of Drinfeld F q [x]-modules, it is sufficient to verify ιϕ x = ψ x ι.

Proof of the main theorem
We fix an integer n and two Drinfeld F q [x]-modules ϕ and ψ over a finite field L. We prove in this section that one can compute an isogeny ι : ϕ → ψ of τ -degree n, or decide that none exists, in polynomial time in n and in the length of the input.

Proof of Theorem 1
Write ϕ x = r j=0 α j τ j and ψ x = r j=0 β j τ j , with α 0 = β 0 = γ(x).The strategy starts similarly to previous work.It is sufficient to find the coefficients of an Ore polynomial ι = n i=0 ι i τ i ∈ L{τ } such that ιϕ x = ψ x ι.We wish to solve Writing α i = β i = 0 for any i > r, the left hand side can be written as Similarly, the right hand side can be written as Comparing the coefficients, we obtain the system The field L is an F q -vector space of finite dimension d = [L : F q ], and each α → α q i is a linear map.Hence, the above system is an F q -linear system of (n + r)d equations in (n + 1)d variables.One can thus solve this system and find a solution ι such that ι n ̸ = 0 (i.e., an isogeny of τ -degree n), or decide that none exists, in polynomial time.

Comparison with previous work
Previous work on computing isogenies focused on the case of rank 2, where the two Drinfeld modules ϕ, ψ ∈ Dr 2 (F q [x], L) are fully determined by Ore polynomials ϕ x = ∆ ϕ τ 2 +g ϕ τ +ω and ψ x = ∆ ψ τ 2 + g ψ τ + ω in L{τ }, with ∆ ϕ ̸ = 0 and ∆ ψ ̸ = 0, and ω = γ(x).To find an isogeny, one has to find ι = n i=0 ι i τ i ∈ L{τ } such that ιϕ x = ψ x ι.In [JN19] and [CGS20], one starts with the same strategy followed above, expanding both sides of the equality and identifying the coefficients in τ i , which yields the system Now, our strategy diverges from previous methods.In [JN19] and [CGS20], one uses these equations from τ n+2 to τ 2 , in this order, to recursively find candidate solutions for ι n to ι 1 , in this order.At each step, there are either 0 or q possible solutions for ι i [LS22, Lemma 4.2], forming a tree that can explored.Each leaf of the tree then provides a solution if it also satisfies the final equation from τ 1 .It was heuristically argued in [LS22] that this tree has exponential size in n, and that successful leaves are rare, leading to an exponential running time.

Definition 1 .
A Drinfeld A-module over L is a ring homomorphism ϕ : A → L{τ } such that ϕ(A) ̸ ⊆ L and the τ 0 coefficient of ϕ(a) is γ(a) for any a ∈ A. For any a ∈ A, we write ϕ a = ϕ(a).The rank of ϕ is the integer r such that deg τ (ϕ a ) = r deg(a) for any a ∈ A. We write Dr r (A, L) the set of Drinfeld A-modules over L of rank r.As in previous literature [JN19, CGS20], we focus on the archetypical case A = F q [x].Then, a Drinfeld module is fully determined by ϕ x , the image of x ∈ F q [x].Definition 2. A morphism of Drinfeld A-modules ι : ϕ → ψ over L is an Ore polynomial ι ∈ L{τ } such that ιϕ a = ψ a ι for any a ∈ A. An isogeny is a non-zero morphism.