Common use of Bibliography Clause in Contracts

Bibliography. [ABD16] ▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇, ▇▇▇ ▇▇▇, and ▇▇▇ ▇▇▇▇▇. A subfield lattice attack on overstretched NTRU assumptions. In: Springer, 2016, pages 153–178. [AD21] ▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇ and ▇▇▇ ▇▇▇▇▇. Lattice Attacks on NTRU and LWE: A History of Refinements. In: Compu- tational Cryptography: Algorithmic Aspects of Cryptol- ogy. London Mathematical Society Lecture Note Series. Cambridge University Press, 2021, pages 15–40. [ADPS16] ▇▇▇▇▇ ▇▇▇▇▇, ▇▇▇ ▇▇▇▇▇, ▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇▇▇, and Pe- ter ▇▇▇▇▇▇▇. Post-quantum Key Exchange–A New Hope. In: 2016, pages 327–343. [AEN19] ▇▇▇▇▇▇▇▇▇ ▇▇▇▇, ▇▇▇▇▇▇ ▇▇▇▇▇▇▇, and ▇▇▇▇▇ ▇. ▇▇▇▇▇▇. Random Lattices: Theory And Practice. Available at ▇▇▇▇▇://▇▇▇▇▇▇▇.▇▇▇▇▇▇.▇▇/bin/random_lattice. pdf. 2019. [AFG13] ▇▇▇▇▇▇ ▇. ▇▇▇▇▇▇▇▇, ▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇, and ▇▇▇▇▇▇▇ ▇▇▇▇▇▇▇. On the efficacy of solving LWE by reduction to unique-SVP. In: Springer, 2013, pages 293–310. [AGPS20] ▇▇▇▇▇▇ ▇. ▇▇▇▇▇▇▇▇, ▇▇▇▇ ▇▇▇▇▇▇▇▇▇, ▇▇▇▇▇▇ ▇. ▇▇▇▇▇▇▇▇▇▇▇▇▇, and ▇▇▇▇ ▇. ▇▇▇▇▇▇▇. Estimating quan- tum speedups for lattice sieves. In: Springer, 2020, pages 583–613. [AGVW17] ▇▇▇▇▇▇ ▇. ▇▇▇▇▇▇▇▇, ▇▇▇▇▇▇▇ ▇▇▇▇▇▇▇, ▇▇▇▇▇▇▇▇ ▇▇▇▇▇▇, and ▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇. Revisiting the expected cost of solving uSVP and applications to LWE. In: International Conference on the Theory and Application of Cryptology and Information Security. Springer. 2017, pages 297–322. [Ajt99] ▇▇▇▇▇▇ ▇▇▇▇▇. Generating Hard Instances of the Short Basis Problem. In: ICALP. 1999, pages 1–9. [AKS01] ▇▇▇▇▇▇ ▇▇▇▇▇, ▇▇▇▇ ▇▇▇▇▇, and ▇. ▇▇▇▇▇▇▇▇▇. A sieve algorithm for the shortest lattice vector problem. In: STOC. 2001, pages 601–610. [AL22] ▇▇▇▇▇▇ ▇. ▇▇▇▇▇▇▇▇ and ▇▇▇▇▇▇▇ ▇▇. Predicting BKZ Z- Shapes on q-ary Lattices. Cryptology ePrint Archive, Re- port 2022/843. 2022. [Alb+15] ▇▇▇▇▇▇ ▇. ▇▇▇▇▇▇▇▇, ▇▇▇▇▇▇ ▇▇▇, ▇▇▇▇-▇▇▇▇▇▇▇ ▇▇▇▇▇▇▇, ▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇, and ▇▇▇▇▇▇▇ ▇▇▇▇▇▇. On the complex- ity of the BKW algorithm on LWE. In: Designs, Codes and Cryptography 74.2 (2015), pages 325–354. [Alb+19] ▇▇▇▇▇▇ ▇. ▇▇▇▇▇▇▇▇, ▇▇▇ ▇▇▇▇▇, ▇▇▇▇▇▇▇▇▇ ▇▇▇▇▇▇, ▇▇▇▇▇ ▇▇▇▇▇▇▇▇▇▇, ▇▇▇▇▇▇ ▇ ▇▇▇▇▇▇▇▇▇▇▇▇▇, and ▇▇▇▇ ▇▇▇▇▇▇▇. The general sieve kernel and new records in lattice reduction. In: Annual International Conference on the Theory and Applications of Cryptographic Tech- niques. Springer. 2019, pages 717–746. [ALL19] ▇▇▇▇▇▇▇ ▇▇▇▇▇▇, ▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇▇▇, and ▇▇▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇. Decoding Challenge. Available at http : / / ▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇.▇▇▇. 2019. [AN17] ▇▇▇▇▇▇▇▇▇ ▇▇▇▇ and ▇▇▇▇▇ ▇. ▇▇▇▇▇▇. Random ▇▇▇- ▇▇▇▇▇ revisited: lattice enumeration with discrete prun- ing. In: Eurocrypt. 2017, pages 65–102. [ANS18] ▇▇▇▇▇▇▇▇▇ ▇▇▇▇, ▇▇▇▇▇ ▇. ▇▇▇▇▇▇, and ▇▇▇▇▇ ▇▇▇▇. Quantum lattice enumeration and tweaking discrete pruning. In: Asiacrypt. 2018, pages 405–434. [AP11] ▇▇▇▇ ▇▇▇▇▇ and ▇▇▇▇▇ ▇▇▇▇▇▇▇. Generating Shorter Bases for Hard Random Lattices. In: Theory of Computing Sys- tems 48.3 (Apr. 2011). Preliminary version in STACS 2009, pages 535–553. [AR05] ▇▇▇▇▇ ▇▇▇▇▇▇▇▇ and ▇▇▇▇ ▇▇▇▇▇. Lattice problems in NP coNP. In: J. ACM 52.5 (2005). Preliminary version in FOCS 2004, pages 749–765. [AUV19] ▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇, ▇▇▇▇▇▇ ▇▇▇▇, and ▇▇▇▇▇ ▇▇▇▇▇▇▇▇. Faster sieving algorithm for approximate SVP with con- stant approximation factors. Cryptology ePrint Archive, Report 2019/1028. 2019. [AWHT16] ▇▇▇▇▇▇▇▇▇ ▇▇▇▇, ▇▇▇▇▇▇ ▇▇▇▇, ▇▇▇▇▇▇ ▇▇▇▇▇▇▇, and ▇▇▇▇▇▇▇▇ ▇▇▇▇▇▇. Improved progressive BKZ algorithms and their precise cost estimation by sharp simulator. In: Springer, 2016, pages 789–819. [Bab16] ▇▇▇▇▇▇ ▇▇▇▇▇. Graph isomorphism in quasipolynomial time. In: Proceedings of the forty-eighth annual ACM symposium on Theory of Computing. 2016, pages 684– 697. [Bab19] ▇▇▇▇▇▇ ▇▇▇▇▇. Canonical form for graphs in quasipolyno- mial time: preliminary report. In: Proceedings of the 51st Annual ACM SIGACT Symposium on Theory of Com- puting. 2019, pages 1237–1246. [Bab86] ▇▇▇▇▇▇ ▇▇▇▇▇. On ▇▇▇▇▇▇’ lattice reduction and the near- est lattice point problem. In: Combinatorica 6.1 (1986). Preliminary version in STACS 1985, pages 1–13.

Bibliography. [ABD161] ▇▇▇▇ ▇▇▇▇▇▇▇▇, ▇▇▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇▇, and ▇▇▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇. CSI-FiSh: Ef- ficient isogeny based signatures through class group computations. In Asia- crypt (1), volume 11921 of Lecture Notes in Computer Science, pages 227–247. Springer, 2019. ▇▇▇▇▇://▇▇.▇▇/2018/485. [2] ▇▇▇ ▇▇▇▇▇, ▇▇▇▇▇▇ ▇▇▇▇▇, and ▇▇▇▇▇▇▇▇▇ ▇▇▇. Oblivious pseudorandom func- tions from isogenies. In Asiacrypt (2), volume 12492 of Lecture Notes in Computer Science, pages 520–550. Springer, 2020. ▇▇▇▇▇://▇▇.▇▇/2020/1532. [3] ▇▇▇▇ ▇▇▇▇▇ and ▇▇▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇. On the computation of quadratic 2-class groups. J. Th´eor. Nombres Bordeaux, 8(2):283–313, 1996. [4] ▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇ and ▇▇▇▇▇▇ ▇▇▇▇▇. CSIDH on the surface. In ▇▇▇▇▇▇ ▇▇▇▇ and ▇▇▇▇-▇▇▇▇▇▇ ▇▇▇▇▇▇▇, editors, PQCrypto 2020, volume 12100 of Lecture Notes in Computer Science, pages 111–129. Springer, 2020. [5] ▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇, ▇▇▇ ▇▇▇, and ▇▇▇ ▇▇▇▇▇. A subfield lattice attack on overstretched NTRU assumptions. In: Springer, 2016, pages 153–178. [AD21] ▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇ and ▇▇▇ ▇▇▇▇▇. Lattice Attacks on NTRU and LWE: A History of Refinements. In: Compu- tational Cryptography: Algorithmic Aspects of Cryptol- ogy. London Mathematical Society Lecture Note Series. Cambridge University Press, 2021, pages 15–40. [ADPS16] ▇▇▇▇▇ ▇▇▇▇▇, ▇▇▇ ▇▇▇▇▇, ▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇▇▇, and Pe- ter ▇▇▇▇▇▇▇. Post-quantum Key Exchange–A New Hope. In: 2016, pages 327–343. [AEN19] ▇▇▇▇▇▇▇▇▇ ▇▇▇▇, ▇▇▇▇▇▇ ▇▇▇▇▇▇▇, and ▇▇▇▇▇ ▇. ▇▇▇▇▇▇. Random Lattices: Theory And Practice. Available at ▇▇▇▇▇://▇▇▇▇▇▇▇.▇▇▇▇▇▇.▇▇/bin/random_lattice. pdf. 2019. [AFG13] ▇▇▇▇▇▇ ▇. ▇▇▇▇▇▇▇▇, ▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇, and ▇▇▇▇▇▇▇ ▇▇▇▇▇▇▇. On the efficacy of solving LWE by reduction to unique-SVP. In: Springer, 2013, pages 293–310. [AGPS20] ▇▇▇▇▇▇ ▇. ▇▇▇▇▇▇▇▇, ▇▇▇▇ ▇▇▇▇▇▇▇▇▇. A fusion algorithm for solving the hidden shift problem in finite abelian groups. In PQCrypto, ▇▇▇▇▇▇ ▇volume 12841 of Lecture Notes in Computer Science, pages 133–153. Springer, 2021. ▇▇▇▇▇://▇▇▇▇▇▇▇▇, and ▇▇▇▇ ▇. .▇▇▇▇.▇▇▇. Estimating quan- tum speedups for lattice sieves. In: Springer, 2020, pages 583–613/2021/562. [AGVW176] ▇▇▇▇▇▇ ▇. ▇▇▇▇▇▇▇▇, ▇▇▇▇▇▇▇ ▇▇▇▇▇▇▇, ▇▇▇▇▇▇▇▇ ▇▇▇▇▇▇, and ▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇. Revisiting the expected cost of solving uSVP and applications to LWE. In: International Conference on the Theory and Application of Cryptology and Information Security. Springer. 2017, pages 297–322. [Ajt99] ▇▇▇▇▇▇ ▇▇▇▇▇. Generating Hard Instances of the Short Basis Problem. In: ICALP. 1999, pages 1–9. [AKS01] ▇▇▇▇▇▇ ▇▇▇▇▇, ▇▇▇▇ ▇▇▇▇▇, and ▇. ▇▇▇▇▇▇▇▇▇. A sieve algorithm for the shortest lattice vector problem. In: STOC. 2001, pages 601–610. [AL22] ▇▇▇▇▇▇ ▇. ▇▇▇▇▇▇▇▇ and ▇▇▇▇▇▇▇ ▇▇. Predicting BKZ Z- Shapes on q-ary Lattices. Cryptology ePrint Archive, Re- port 2022/843. 2022. [Alb+15] ▇▇▇▇▇▇ ▇. ▇▇▇▇▇▇▇▇, ▇▇▇▇▇▇ ▇▇▇, ▇▇▇▇-▇▇▇▇▇▇▇ ▇▇▇▇▇▇▇, ▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇, and ▇▇▇▇▇▇▇ ▇▇▇▇▇▇. On the complex- ity of the BKW algorithm on LWE. In: Designs, Codes and Cryptography 74.2 (2015), pages 325–354. [Alb+19] ▇▇▇▇▇▇ ▇. ▇▇▇▇▇▇▇▇, ▇▇▇ ▇▇▇▇▇, ▇▇▇▇▇▇▇▇▇ ▇▇▇▇▇▇, ▇▇▇▇▇ ▇▇▇▇▇▇▇▇▇▇, ▇▇▇▇▇▇ ▇ ▇▇▇▇▇▇▇▇▇▇▇▇▇, and ▇▇▇▇ ▇▇▇▇▇▇▇. The general sieve kernel and new records in lattice reduction. In: Annual International Conference on the Theory and Applications of Cryptographic Tech- niques. Springer. 2019, pages 717–746. [ALL19] ▇▇▇▇▇▇▇ ▇▇▇▇▇▇, ▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇▇▇, and ▇▇▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇. Decoding Challenge. Available at http : / / ▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇.▇▇▇. 2019. [AN17] ▇▇▇▇▇▇▇▇▇ ▇▇▇▇ and ▇▇▇▇▇ ▇. ▇▇▇▇▇▇. Random ▇▇▇- ▇▇▇▇▇ revisited: lattice enumeration with discrete prun- ing. In: Eurocrypt. 2017, pages 65–102. [ANS18] ▇▇▇▇▇▇▇▇▇ ▇▇▇▇, ▇▇▇▇▇ ▇. ▇▇▇▇▇▇, and ▇▇▇▇▇ ▇▇▇▇▇. Quantum lattice enumeration and tweaking discrete pruningCSIDH: An efficient post-quantum commutative group action. In: AsiacryptIn Asia- crypt 2018 Pt. 20183, volume 11274 of Lecture Notes in Computer Science, pages 405–434395–427. Springer, 2018. [AP11] ▇▇▇▇ ▇▇▇▇▇ and ▇▇▇▇▇ ▇▇▇▇▇▇▇. Generating Shorter Bases for Hard Random Lattices. In: Theory of Computing Sys- tems 48.3 (Apr. 2011). Preliminary version in STACS 2009, pages 535–553. [AR05] ▇▇▇▇▇ ▇▇▇▇▇▇▇▇ and ▇▇▇▇ ▇▇▇▇▇. Lattice problems in NP coNP. In: J. ACM 52.5 (2005). Preliminary version in FOCS 2004, pages 749–765. [AUV197] ▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇, ▇▇▇▇▇▇ ▇▇▇▇▇, and ▇▇▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇. Faster sieving algorithm for approximate SVP with con- stant approximation factorsRational isogenies from irrational endomorphisms. Cryptology ePrint ArchiveIn Eurocrypt (2), Report 2019/1028volume 12106 of Lecture Notes in Computer Science, pages 523–548. 2019Springer, 2020. ▇▇▇▇▇://▇▇.▇▇/2019/1202. [AWHT168] ▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇, ▇▇▇▇ ▇▇▇´▇▇▇▇´a, and ▇▇▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇. Breaking the de- cisional ▇▇▇▇▇▇-▇▇▇▇▇▇▇ problem for class group actions using genus theory. In Crypto (2), volume 12171 of Lectures Notes in Computer Science, pages 92–120. Springer, 2020. ▇▇▇▇▇://▇▇.▇▇/2020/151. [9] ▇▇▇▇▇▇▇▇ ▇▇▇▇▇ and ▇▇▇▇▇▇▇▇ ▇▇▇▇▇. Higher-degree supersingular group actions. In MathCrypt, ▇. Math. Cryptol. (to appear), 2021. ▇▇▇▇▇://▇▇.▇▇/2021/955. [10] ▇▇▇▇▇▇▇▇ ▇▇▇`o and ▇▇▇▇▇ ▇▇▇▇▇. Orienting supersingular isogeny graphs. Journal of Mathematical Cryptolology, 14(1):414–437, 2020. [11] ▇▇▇▇-▇▇▇▇ ▇▇▇▇▇▇▇▇▇▇. Hard homogeneous spaces, 2006. Unpublished article, available at ▇▇▇▇▇://▇▇▇▇▇▇.▇▇▇▇.▇▇▇/2006/291. [12] ▇▇▇▇▇ ▇. ▇▇▇. Primes of the form x2 + ny2: Fermat, class field theory, and complex multiplication. Pure and Applied Mathematics. Wiley, second edition, 2013. [13] ▇▇▇▇▇▇▇▇ ▇▇▇▇▇▇▇ and ▇▇▇▇ ▇▇ ▇▇▇. On the security of OSIDH. In PKC (1), volume 13177 of Lecture Notes in Computer Science, pages 52–81. Springer, 2022. ▇▇▇▇▇://▇▇.▇▇/2021/1681. [14] ▇▇▇▇ ▇▇ ▇▇▇, ▇▇▇▇▇▇▇ ▇▇▇▇▇▇▇ de Saint Guilhem, ▇▇▇▇ ▇▇▇▇▇ ▇▇▇▇▇▇▇, P´eter ▇▇- ▇▇▇, ▇▇▇▇▇▇▇ ▇▇▇▇▇▇, ▇▇▇▇▇▇▇▇▇▇ ▇▇▇▇, ▇▇▇▇▇▇ ▇▇▇▇, ▇▇▇▇▇▇ ▇▇▇▇▇▇▇, and ▇▇▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇▇▇. Improved progressive BKZ algorithms and their precise cost estimation by sharp simulatorS´eta: Supersingular encryption from torsion attacks. In: In Asiacrypt (4), volume 13093 of Lecture Notes in Computer Science, pages 249–278. Springer, 2016, pages 789–8192021. ▇▇▇▇▇://▇▇.▇▇/2019/1291. [Bab1615] ▇▇▇▇ ▇▇ ▇▇▇ and ▇▇▇▇▇▇▇ ▇▇▇▇▇. Graph isomorphism Threshold schemes from isogeny assumptions. In PKC (2), volume 12111 of Lecture Notes in quasipolynomial time. In: Proceedings of the forty-eighth annual ACM symposium on Theory of Computing. 2016Computer Science, pages 684– 697187–212. Springer, 2020. ▇▇▇▇▇://▇▇.▇▇/2019/1288. [Bab1916] ▇▇▇▇ ▇▇▇▇▇ ▇▇▇▇▇▇▇, P´eter ▇▇▇▇▇, ▇▇▇▇▇-▇▇▇▇▇▇▇ Merz, and ▇▇▇ ▇▇ ▇▇. On the isogeny problem with torsion point information. In PKC (1), volume 13177 of Lecture Notes in Computer Science, pages 142–161. Springer, 2022. https: //▇▇.▇▇/▇▇▇▇/▇▇▇. [17] ▇▇▇▇▇▇ ▇. ▇▇▇▇▇▇▇▇▇, ▇▇▇▇▇▇▇▇▇▇ ▇▇▇▇▇, ▇▇▇▇▇ ▇▇▇▇▇, and ▇▇▇ ▇▇ ▇▇. On the security of supersingular isogeny cryptosystems. In Asiacrypt (1), volume 10031 of Lecture Notes in Computer Science, pages 63–91. Springer, 2016. https:// ▇▇.▇▇/▇▇▇▇/▇▇▇. [18] ▇▇▇▇▇ ▇▇▇ and ▇▇▇▇ ▇▇ ▇▇▇. Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In PQCrypto, volume 7071 of Lecture Notes in Computer Science, pages 19–34. Springer, 2011. ▇▇▇▇▇://▇▇.▇▇/2011/506. [19] ▇▇▇▇▇ ▇. ▇▇▇▇▇▇▇ and ▇▇▇▇▇▇▇▇▇▇▇ ▇▇▇▇▇. Canonical form for graphs in quasipolyno- mial time: preliminary reportFast polynomial factorization and modular composition. In: Proceedings of the 51st Annual ACM SIGACT Symposium on Theory of Com- puting. 2019In IEEE FOCS 2008, pages 1237–1246146–155, 2008. ▇▇▇▇://▇▇▇▇▇. ▇▇▇.▇▇▇▇▇▇▇.▇▇▇/~▇▇▇▇▇/▇▇▇▇▇▇/▇▇▇▇-▇▇▇▇▇.▇▇▇. [Bab8620] Yi-Fu ▇▇▇, ▇▇▇▇▇▇ ▇. ▇▇▇▇▇▇▇▇▇, and ▇▇▇▇▇▇▇ ▇▇▇▇▇▇▇ de Saint Guilhem. Com- pact, efficient and UC-secure isogeny-based oblivious transfer. In Eurocrypt (1), volume 12696 of Lecture Notes in Computer Science, pages 213–241. Springer, 2021. ▇▇▇▇▇://▇▇.▇▇/2020/1012. [21] ▇▇▇▇▇ ▇. ▇▇▇▇▇. Complex multiplication (v0.10), 2020. ▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇. org/math/CourseNotes/cm.html. [22] ▇▇▇▇▇▇▇ ▇▇▇▇▇. On oriented supersingular elliptic curves. Finite Fields Appl., 69:Paper No. 101777, 18, 2021. [23] ▇▇▇▇▇▇’ lattice reduction ▇ ▇▇▇▇▇. Probabilistic algorithms in finite fields. SIAM J. Com- put., 9(2):273–280, 1980. ▇▇▇▇://▇▇▇▇▇▇▇▇▇▇▇▇.▇▇▇▇▇.▇▇▇.▇▇▇/lcs/pubs/ pdf/MIT-LCS-TR-213.pdf. [24] ▇▇▇▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇▇▇ and the near- est lattice point problem▇▇▇▇▇ ▇▇▇▇▇▇▇▇▇. In: Combinatorica 6.1 Public-key cryptosystem based on isogenies. IACR Cryptology ePrint Archive 2006/145, 2006. ▇▇▇▇▇://▇▇.▇▇/ 2006/145. [25] ▇▇▇▇-▇▇▇▇▇ ▇▇¨ck. A note on elliptic curves over finite fields. Math. Comp., 49(179):301–304, 1987. [26] Ren´e ▇▇▇▇▇▇. Nonsingular plane cubic curves over finite fields. J. Combin. Theory Ser. A, 46(2):183–211, 1987. [27] ▇▇▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇. R´edei-matrices and applications. In Number theory (1986Paris, 1992–1993), volume 215 of London Math. Preliminary version in STACS 1985Soc. Lecture Note Ser., pages 1–13245–259. Cambridge Univ. Press, Cambridge, 1995. [28] ▇▇▇▇▇ ▇▇▇▇▇▇▇▇▇. Cryptographic schemes based on isogenies. 2012. PhD thesis. ▇▇▇▇▇://▇▇▇▇▇▇▇▇.▇▇▇▇.▇▇/ntnu-xmlui/bitstream/handle/11250/262577/ 529395_FULLTEXT01.pdf. [29] G´▇▇▇▇▇ ▇▇▇▇▇▇▇▇▇. Introduction to analytic and probabilistic number theory, volume 163 of Graduate Studies in Mathematics. American Mathematical Society, Providence, RI, third edition, 2015. Translated from the 2008 French edition by ▇▇▇▇▇▇▇ ▇. ▇. ▇▇▇.

Bibliography. [ABD161] ▇▇▇▇ ▇▇▇▇▇▇▇▇, ▇▇▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇▇, and ▇▇▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇. CSI-FiSh: Ef- ficient isogeny based signatures through class group computations. In Asia- crypt (1), volume 11921 of Lecture Notes in Computer Science, pages 227–247. Springer, 2019. ▇▇▇▇▇://▇▇.▇▇/2018/485. [2] ▇▇▇ ▇▇▇▇▇, ▇▇▇▇▇▇ ▇▇▇▇▇, and ▇▇▇▇▇▇▇▇▇ ▇▇▇. Oblivious pseudorandom func- tions from isogenies. In Asiacrypt (2), volume 12492 of Lecture Notes in Computer Science, pages 520–550. Springer, 2020. ▇▇▇▇▇://▇▇.▇▇/2020/1532. [3] ▇▇▇▇ ▇▇▇▇▇ and ▇▇▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇. On the computation of quadratic 2-class groups. J. Th´eor. Nombres Bordeaux, 8(2):283–313, 1996. [4] ▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇ and ▇▇▇▇▇▇ ▇▇▇▇▇. CSIDH on the surface. In ▇▇▇▇▇▇ ▇▇▇▇ and ▇▇▇▇-▇▇▇▇▇▇ ▇▇▇▇▇▇▇, editors, PQCrypto 2020, volume 12100 of Lecture Notes in Computer Science, pages 111–129. Springer, 2020. [5] ▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇, ▇▇▇ ▇▇▇, and ▇▇▇ ▇▇▇▇▇. A subfield lattice attack on overstretched NTRU assumptions. In: Springer, 2016, pages 153–178. [AD21] ▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇ and ▇▇▇ ▇▇▇▇▇. Lattice Attacks on NTRU and LWE: A History of Refinements. In: Compu- tational Cryptography: Algorithmic Aspects of Cryptol- ogy. London Mathematical Society Lecture Note Series. Cambridge University Press, 2021, pages 15–40. [ADPS16] ▇▇▇▇▇ ▇▇▇▇▇, ▇▇▇ ▇▇▇▇▇, ▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇▇▇, and Pe- ter ▇▇▇▇▇▇▇. Post-quantum Key Exchange–A New Hope. In: 2016, pages 327–343. [AEN19] ▇▇▇▇▇▇▇▇▇ ▇▇▇▇, ▇▇▇▇▇▇ ▇▇▇▇▇▇▇, and ▇▇▇▇▇ ▇. ▇▇▇▇▇▇. Random Lattices: Theory And Practice. Available at ▇▇▇▇▇://▇▇▇▇▇▇▇.▇▇▇▇▇▇.▇▇/bin/random_lattice. pdf. 2019. [AFG13] ▇▇▇▇▇▇ ▇. ▇▇▇▇▇▇▇▇, ▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇, and ▇▇▇▇▇▇▇ ▇▇▇▇▇▇▇. On the efficacy of solving LWE by reduction to unique-SVP. In: Springer, 2013, pages 293–310. [AGPS20] ▇▇▇▇▇▇ ▇. ▇▇▇▇▇▇▇▇, ▇▇▇▇ ▇▇▇▇▇▇▇▇▇. A fusion algorithm for solving the hidden shift problem in finite abelian groups. In PQCrypto, ▇▇▇▇▇▇ ▇volume 12841 of Lecture Notes in Computer Science, pages 133–153. Springer, 2021. ▇▇▇▇▇://▇▇▇▇▇▇▇▇, and ▇▇▇▇ ▇. .▇▇▇▇.▇▇▇. Estimating quan- tum speedups for lattice sieves. In: Springer, 2020, pages 583–613/2021/562. [AGVW176] ▇▇▇▇▇▇ ▇. ▇▇▇▇▇▇▇▇, ▇▇▇▇▇▇▇ ▇▇▇▇▇▇▇, ▇▇▇▇▇▇▇▇ ▇▇▇▇▇▇, and ▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇. Revisiting the expected cost of solving uSVP and applications to LWE. In: International Conference on the Theory and Application of Cryptology and Information Security. Springer. 2017, pages 297–322. [Ajt99] ▇▇▇▇▇▇ ▇▇▇▇▇. Generating Hard Instances of the Short Basis Problem. In: ICALP. 1999, pages 1–9. [AKS01] ▇▇▇▇▇▇ ▇▇▇▇▇, ▇▇▇▇ ▇▇▇▇▇, and ▇. ▇▇▇▇▇▇▇▇▇. A sieve algorithm for the shortest lattice vector problem. In: STOC. 2001, pages 601–610. [AL22] ▇▇▇▇▇▇ ▇. ▇▇▇▇▇▇▇▇ and ▇▇▇▇▇▇▇ ▇▇. Predicting BKZ Z- Shapes on q-ary Lattices. Cryptology ePrint Archive, Re- port 2022/843. 2022. [Alb+15] ▇▇▇▇▇▇ ▇. ▇▇▇▇▇▇▇▇, ▇▇▇▇▇▇ ▇▇▇, ▇▇▇▇-▇▇▇▇▇▇▇ ▇▇▇▇▇▇▇, ▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇, and ▇▇▇▇▇▇▇ ▇▇▇▇▇▇. On the complex- ity of the BKW algorithm on LWE. In: Designs, Codes and Cryptography 74.2 (2015), pages 325–354. [Alb+19] ▇▇▇▇▇▇ ▇. ▇▇▇▇▇▇▇▇, ▇▇▇ ▇▇▇▇▇, ▇▇▇▇▇▇▇▇▇ ▇▇▇▇▇▇, ▇▇▇▇▇ ▇▇▇▇▇▇▇▇▇▇, ▇▇▇▇▇▇ ▇ ▇▇▇▇▇▇▇▇▇▇▇▇▇, and ▇▇▇▇ ▇▇▇▇▇▇▇. The general sieve kernel and new records in lattice reduction. In: Annual International Conference on the Theory and Applications of Cryptographic Tech- niques. Springer. 2019, pages 717–746. [ALL19] ▇▇▇▇▇▇▇ ▇▇▇▇▇▇, ▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇▇▇, and ▇▇▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇. Decoding Challenge. Available at http : / / ▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇.▇▇▇. 2019. [AN17] ▇▇▇▇▇▇▇▇▇ ▇▇▇▇ and ▇▇▇▇▇ ▇. ▇▇▇▇▇▇. Random ▇▇▇- ▇▇▇▇▇ revisited: lattice enumeration with discrete prun- ing. In: Eurocrypt. 2017, pages 65–102. [ANS18] ▇▇▇▇▇▇▇▇▇ ▇▇▇▇, ▇▇▇▇▇ ▇. ▇▇▇▇▇▇, and ▇▇▇▇▇ ▇▇▇▇▇. Quantum lattice enumeration and tweaking discrete pruningCSIDH: An efficient post-quantum commutative group action. In: AsiacryptIn Asia- crypt 2018 Pt. 20183, volume 11274 of Lecture Notes in Computer Science, pages 405–434395–427. Springer, 2018. [AP11] ▇▇▇▇ ▇▇▇▇▇ and ▇▇▇▇▇ ▇▇▇▇▇▇▇. Generating Shorter Bases for Hard Random Lattices. In: Theory of Computing Sys- tems 48.3 (Apr. 2011). Preliminary version in STACS 2009, pages 535–553. [AR05] ▇▇▇▇▇ ▇▇▇▇▇▇▇▇ and ▇▇▇▇ ▇▇▇▇▇. Lattice problems in NP coNP. In: J. ACM 52.5 (2005). Preliminary version in FOCS 2004, pages 749–765. [AUV197] ▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇, ▇▇▇▇▇▇ ▇▇▇▇▇, and ▇▇▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇. Faster sieving algorithm for approximate SVP with con- stant approximation factorsRational isogenies from irrational endomorphisms. Cryptology ePrint ArchiveIn Eurocrypt (2), Report 2019/1028volume 12106 of Lecture Notes in Computer Science, pages 523–548. 2019Springer, 2020. ▇▇▇▇▇://▇▇.▇▇/2019/1202. [AWHT168] ▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇, ▇▇▇▇ ▇▇▇´▇▇▇▇´a, and ▇▇▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇. Breaking the de- cisional ▇▇▇▇▇▇-▇▇▇▇▇▇▇ problem for class group actions using genus theory. In Crypto (2), volume 12171 of Lectures Notes in Computer Science, pages 92–120. Springer, 2020. ▇▇▇▇▇://▇▇.▇▇/2020/151. [9] ▇▇▇▇▇▇▇▇ ▇▇▇▇▇ and ▇▇▇▇▇▇▇▇ ▇▇▇▇▇. Higher-degree supersingular group actions. In MathCrypt, ▇. Math. Cryptol. (to appear), 2021. ▇▇▇▇▇://▇▇.▇▇/2021/955. [10] ▇▇▇▇▇▇▇▇ ▇▇▇`o and ▇▇▇▇▇ ▇▇▇▇▇. Orienting supersingular isogeny graphs. Journal of Mathematical Cryptolology, 14(1):414–437, 2020. [11] ▇▇▇▇-▇▇▇▇ ▇▇▇▇▇▇▇▇▇▇. Hard homogeneous spaces, 2006. Unpublished article, available at ▇▇▇▇▇://▇▇▇▇▇▇.▇▇▇▇.▇▇▇/2006/291. [12] ▇▇▇▇▇ ▇. ▇▇▇. Primes of the form x2 + ny2: Fermat, class field theory, and complex multiplication. Pure and Applied Mathematics. Wiley, second edition, 2013. [13] ▇▇▇▇▇▇▇▇ ▇▇▇▇▇▇▇ and ▇▇▇▇ ▇▇ ▇▇▇. On the security of OSIDH. In PKC (1), volume 13177 of Lecture Notes in Computer Science, pages 52–81. Springer, 2022. ▇▇▇▇▇://▇▇.▇▇/2021/1681. [14] ▇▇▇▇ ▇▇ ▇▇▇, Cyprien Delpech de Saint Guilhem, ▇▇▇▇ ▇▇▇▇▇ ▇▇▇▇▇▇▇, P´eter ▇▇- ▇▇▇, ▇▇▇▇▇▇▇ ▇▇▇▇▇▇, ▇▇▇▇▇▇▇▇▇▇ ▇▇▇▇, ▇▇▇▇▇▇ ▇▇▇▇, ▇▇▇▇▇▇ ▇▇▇▇▇▇▇, and ▇▇▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇▇▇. Improved progressive BKZ algorithms and their precise cost estimation by sharp simulatorS´eta: Supersingular encryption from torsion attacks. In: In Asiacrypt (4), volume 13093 of Lecture Notes in Computer Science, pages 249–278. Springer, 2016, pages 789–8192021. ▇▇▇▇▇://▇▇.▇▇/2019/1291. [Bab1615] ▇▇▇▇ ▇▇ ▇▇▇ and ▇▇▇▇▇▇▇ ▇▇▇▇▇. Graph isomorphism Threshold schemes from isogeny assumptions. In PKC (2), volume 12111 of Lecture Notes in quasipolynomial time. In: Proceedings of the forty-eighth annual ACM symposium on Theory of Computing. 2016Computer Science, pages 684– 697187–212. Springer, 2020. ▇▇▇▇▇://▇▇.▇▇/2019/1288. [Bab1916] ▇▇▇▇ ▇▇▇▇▇ ▇▇▇▇▇▇▇, P´eter ▇▇▇▇▇, ▇▇▇▇▇-▇▇▇▇▇▇▇ Merz, and ▇▇▇ ▇▇ ▇▇. On the isogeny problem with torsion point information. In PKC (1), volume 13177 of Lecture Notes in Computer Science, pages 142–161. Springer, 2022. https: //▇▇.▇▇/▇▇▇▇/▇▇▇. [17] ▇▇▇▇▇▇ ▇. ▇▇▇▇▇▇▇▇▇, ▇▇▇▇▇▇▇▇▇▇ ▇▇▇▇▇, ▇▇▇▇▇ ▇▇▇▇▇, and ▇▇▇ ▇▇ ▇▇. On the security of supersingular isogeny cryptosystems. In Asiacrypt (1), volume 10031 of Lecture Notes in Computer Science, pages 63–91. Springer, 2016. https:// ▇▇.▇▇/▇▇▇▇/▇▇▇. [18] ▇▇▇▇▇ ▇▇▇ and ▇▇▇▇ ▇▇ ▇▇▇. Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In PQCrypto, volume 7071 of Lecture Notes in Computer Science, pages 19–34. Springer, 2011. ▇▇▇▇▇://▇▇.▇▇/2011/506. [19] ▇▇▇▇▇ ▇. ▇▇▇▇▇▇▇ and ▇▇▇▇▇▇▇▇▇▇▇ ▇▇▇▇▇. Canonical form for graphs in quasipolyno- mial time: preliminary reportFast polynomial factorization and modular composition. In: Proceedings of the 51st Annual ACM SIGACT Symposium on Theory of Com- puting. 2019In IEEE FOCS 2008, pages 1237–1246146–155, 2008. ▇▇▇▇://▇▇▇▇▇. ▇▇▇.▇▇▇▇▇▇▇.▇▇▇/~▇▇▇▇▇/▇▇▇▇▇▇/▇▇▇▇-▇▇▇▇▇.▇▇▇. [Bab8620] Yi-Fu ▇▇▇, ▇▇▇▇▇▇ ▇. ▇▇▇▇▇▇▇▇▇, and ▇▇▇▇▇▇▇ ▇▇▇▇▇▇▇ de Saint Guilhem. Com- pact, efficient and UC-secure isogeny-based oblivious transfer. In Eurocrypt (1), volume 12696 of Lecture Notes in Computer Science, pages 213–241. Springer, 2021. ▇▇▇▇▇://▇▇.▇▇/2020/1012. [21] ▇▇▇▇▇ ▇. ▇▇▇▇▇. Complex multiplication (v0.10), 2020. ▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇. org/math/CourseNotes/cm.html. [22] ▇▇▇▇▇▇▇ ▇▇▇▇▇. On oriented supersingular elliptic curves. Finite Fields Appl., 69:Paper No. 101777, 18, 2021. [23] ▇▇▇▇▇▇’ lattice reduction ▇ ▇▇▇▇▇. Probabilistic algorithms in finite fields. SIAM J. Com- put., 9(2):273–280, 1980. ▇▇▇▇://▇▇▇▇▇▇▇▇▇▇▇▇.▇▇▇▇▇.▇▇▇.▇▇▇/lcs/pubs/ pdf/MIT-LCS-TR-213.pdf. [24] ▇▇▇▇▇▇▇▇▇ ▇▇▇▇▇▇▇▇▇▇ and the near- est lattice point problem▇▇▇▇▇ ▇▇▇▇▇▇▇▇▇. In: Combinatorica 6.1 Public-key cryptosystem based on isogenies. IACR Cryptology ePrint Archive 2006/145, 2006. ▇▇▇▇▇://▇▇.▇▇/ 2006/145. [25] ▇▇▇▇-▇▇▇▇▇ ▇▇¨ck. A note on elliptic curves over finite fields. Math. Comp., 49(179):301–304, 1987. [26] Ren´e ▇▇▇▇▇▇. Nonsingular plane cubic curves over finite fields. J. Combin. Theory Ser. A, 46(2):183–211, 1987. [27] ▇▇▇▇▇ ▇▇▇▇▇▇▇▇▇▇▇. R´edei-matrices and applications. In Number theory (1986Paris, 1992–1993), volume 215 of London Math. Preliminary version in STACS 1985Soc. Lecture Note Ser., pages 1–13245–259. Cambridge Univ. Press, Cambridge, 1995. [28] ▇▇▇▇▇ ▇▇▇▇▇▇▇▇▇. Cryptographic schemes based on isogenies. 2012. PhD thesis. ▇▇▇▇▇://▇▇▇▇▇▇▇▇.▇▇▇▇.▇▇/ntnu-xmlui/bitstream/handle/11250/262577/ 529395_FULLTEXT01.pdf. [29] G´▇▇▇▇▇ ▇▇▇▇▇▇▇▇▇. Introduction to analytic and probabilistic number theory, volume 163 of Graduate Studies in Mathematics. American Mathematical Society, Providence, RI, third edition, 2015. Translated from the 2008 French edition by ▇▇▇▇▇▇▇ ▇. ▇. ▇▇▇.