Isogeny Graphs in Superposition and Quantum Onion Routing

Onion routing provides anonymity by layering encryption so that no relay can link sender to destination. A quantum analogue faces a core obstacle: layered quantum encryption generally requires symmetric encryption schemes, whereas classically one would rely on public-key encryption. We propose a symmetric-encryption-based quantum onion routing (QOR) scheme by instantiating each layer with the abelian ideal class group action from the Theory of Complex Multiplication. Session keys are established locally via a Diffie-Hellman key exchange between neighbors in the chain of communication. Furthermore, we propose a novel ‘’non-local’’ key exchange between the sender and receiver. The underlying problem remains hard even for quantum adversaries and underpins the security of current post-quantum schemes. We connect our construction to isogeny graphs and their association schemes, using the Bose-Mesner algebra to formalize commutativity and guide implementation. We give two implementation paths: (i) a universal quantum oracle evaluating the class group action with polynomially many quantum resources, and (ii) an intrinsically quantum approach via continuous-time quantum walks (CTQWs), outlined here and developed in a companion paper. A small Qiskit example illustrates the mechanics (by design, not the efficiency) of the QOR.

💡 Research Summary

This paper tackles the problem of providing anonymity in quantum networks by constructing a quantum onion routing (QOR) protocol that relies exclusively on symmetric‑key encryption. The authors observe that quantum operations are inherently reversible, which makes traditional public‑key encryption unsuitable for layered encryption in the quantum setting. To overcome this, they employ the abelian ideal class group action arising from the theory of Complex Multiplication (CM) as the underlying cryptographic primitive.

For a chosen imaginary quadratic discriminant Δ, the maximal order (\mathcal{O}\Delta) has an ideal class group (\mathrm{Cl}(\mathcal{O}\Delta)). This group acts freely and transitively on the set of j‑invariants ({j(\mathfrak a)}) of elliptic curves with complex multiplication by (\mathcal{O}_\Delta). The action is given by (b * j(\mathfrak a) = j(b^{-1}\mathfrak a)). Because the group is abelian and the action is injective, it can be used as a reversible “encryption” operation that satisfies the unitary requirement of quantum circuits.

Security rests on two quantum‑hard assumptions. First, the vectorization problem: given a pair ((j_0, j_1)), finding the class group element (g) such that (g * j_0 = j_1) is believed to be hard for quantum polynomial‑time algorithms. This is precisely the hardness underlying CSIDH and SCURF, the leading post‑quantum isogeny‑based schemes. Second, the underlying Cayley graph (G = \mathrm{Cay}(\mathrm{Cl}(\mathcal{O}_\Delta), S)) (with a generating set (S) of small‑norm ideals) is an expander. Consequently, a random walk of length (O(\log |\mathrm{Cl}|)) mixes rapidly, making it infeasible for an adversary to reconstruct the walk (i.e., the encryption path) even with quantum resources.

The protocol proceeds in three logical phases. (1) Local session‑key establishment: adjacent nodes (e.g., Alice↔Bob, Bob↔Carol) perform a quantum Diffie‑Hellman exchange to agree on secret class‑group elements (a, b, c). Each node’s secret defines a layer of encryption via the class‑group action. (2) Non‑local (global) key exchange: the sender (Alice) selects a global secret (k) and conveys it to the receiver (Carol) using the same class‑group framework, ensuring that only the end parties know the final decryption key. (3) Layered encryption/decryption: the message flow is
 Carol computes (j_C = c * j_0) and sends it to Bob;
 Bob computes (j_{BC}= b * j_C) and forwards it to Alice;
 Alice computes (j_{ABC}= a * j_{BC}) and returns it to Bob;
 Bob removes his layer with (b^{-1}) to obtain (j_{AC}) and sends it to Carol;
 Carol removes her layer with (c^{-1}) to recover Alice’s global key (j_A).
The recovered (j_A) is then used to apply a deterministic N‑qubit rotation circuit (C(j_A)=\prod_{k=0}^{N-1} R_X(\vartheta_k(j_A))) to the quantum message (|m\rangle). The angles (\vartheta_k(j)) are derived from a Sobol low‑discrepancy sequence, providing a uniform distribution of rotation parameters.

Implementation is explored along two avenues. (i) Universal quantum oracle: a polynomial‑size quantum circuit that, given a class‑group element and a j‑invariant, outputs the acted‑upon j‑invariant. This approach is conceptually straightforward but incurs substantial gate overhead on near‑term devices. (ii) Continuous‑time quantum walks (CTQW): by encoding the isogeny graph’s Laplacian into a Hamiltonian, the system evolves naturally under the class‑group action. CTQWs exploit the spectral gap of the expander graph to achieve rapid mixing, offering a more intrinsically quantum and potentially scalable method. The CTQW route is outlined here and fully developed in a companion paper.

A small Qiskit demonstration with three parties illustrates the mechanics of the protocol. The example deliberately uses tiny parameters (exponential in resources) to make the steps transparent rather than efficient.

The authors also discuss security considerations. Quantum attacks such as Shor’s algorithm do not break the vectorization problem, and Grover‑type search offers at most a quadratic speed‑up, which is insufficient given the exponential size of the class group. The commutative nature of the layers prevents any intermediate node from learning the ordering or content of other layers, and the reversible nature of the operations ensures that measurement by an adversary collapses the quantum state, thwarting traffic‑analysis attacks.

In conclusion, the paper presents a novel synthesis of algebraic number theory, isogeny graph theory, and quantum information to realize an anonymous routing protocol that is provably secure against both classical and quantum adversaries. It opens several research directions: efficient CTQW hardware implementation, optimized oracle constructions for large class groups, formal verification of the protocol’s anonymity guarantees, and integration with hybrid classical‑quantum networks.