-
Failing to hash into supersingular isogeny graphs
Authors:
Jeremy Booher,
Ross Bowden,
Javad Doliskani,
Tako Boris Fouotsa,
Steven D. Galbraith,
Sabrina Kunzweiler,
Simon-Philipp Merz,
Christophe Petit,
Benjamin Smith,
Katherine E. Stange,
Yan Bo Ti,
Christelle Vincent,
José Felipe Voloch,
Charlotte Weitkämper,
Lukas Zobernig
Abstract:
An important open problem in supersingular isogeny-based cryptography is to produce, without a trusted authority, concrete examples of "hard supersingular curves" that is, equations for supersingular curves for which computing the endomorphism ring is as difficult as it is for random supersingular curves. A related open problem is to produce a hash function to the vertices of the supersingular…
▽ More
An important open problem in supersingular isogeny-based cryptography is to produce, without a trusted authority, concrete examples of "hard supersingular curves" that is, equations for supersingular curves for which computing the endomorphism ring is as difficult as it is for random supersingular curves. A related open problem is to produce a hash function to the vertices of the supersingular $\ell$-isogeny graph which does not reveal the endomorphism ring, or a path to a curve of known endomorphism ring. Such a hash function would open up interesting cryptographic applications. In this paper, we document a number of (thus far) failed attempts to solve this problem, in the hope that we may spur further research, and shed light on the challenges and obstacles to this endeavour. The mathematical approaches contained in this article include: (i) iterative root-finding for the supersingular polynomial; (ii) gcd's of specialized modular polynomials; (iii) using division polynomials to create small systems of equations; (iv) taking random walks in the isogeny graph of abelian surfaces; and (v) using quantum random walks.
△ Less
Submitted 8 May, 2024; v1 submitted 29 April, 2022;
originally announced May 2022.
-
Computing isogenies between supersingular elliptic curves over F_p
Authors:
Christina Delfs,
Steven D. Galbraith
Abstract:
Let p>3 be a prime and let E, E' be supersingular elliptic curves over F_p. We want to construct an isogeny phi: E --> E'. The currently fastest algorithm for finding isogenies between supersingular elliptic curves solves this problem by performing a "meet-in-the-middle" breadth-first search in the full supersingular 2-isogeny graph over F_{p^2}. In this paper we consider the structure of the isog…
▽ More
Let p>3 be a prime and let E, E' be supersingular elliptic curves over F_p. We want to construct an isogeny phi: E --> E'. The currently fastest algorithm for finding isogenies between supersingular elliptic curves solves this problem by performing a "meet-in-the-middle" breadth-first search in the full supersingular 2-isogeny graph over F_{p^2}. In this paper we consider the structure of the isogeny graph of supersingular elliptic curves over F_p. We give an algorithm to construct isogenies between such supersingular elliptic curves that works faster than the usual algorithm. We then discuss how this results can be used to obtain an improved algorithm for the general supersingular isogeny problem.
△ Less
Submitted 29 October, 2013;
originally announced October 2013.
-
Constructing supersingular elliptic curves with a given endomorphism ring
Authors:
Ilya Chevyrev,
Steven D. Galbraith
Abstract:
Let O be a maximal order in the quaternion algebra B_p over Q ramified at p and infinity. The paper is about the computational problem: Construct a supersingular elliptic curve E over F_p such that End(E) = O. We present an algorithm that solves this problem by taking gcds of the reductions modulo p of Hilbert class polynomials. New theoretical results are required to determine the complexity of o…
▽ More
Let O be a maximal order in the quaternion algebra B_p over Q ramified at p and infinity. The paper is about the computational problem: Construct a supersingular elliptic curve E over F_p such that End(E) = O. We present an algorithm that solves this problem by taking gcds of the reductions modulo p of Hilbert class polynomials. New theoretical results are required to determine the complexity of our algorithm. Our main result is that, under certain conditions on a rank three sublattice O^T of O, the order O is effectively characterized by the three successive minima and two other short vectors of O^T. The desired conditions turn out to hold whenever the j-invariant j(E), of the elliptic curve with End(E) = O, lies in F_p. We can then prove that our algorithm terminates with running time O(p^{1+ε}) under the aforementioned conditions. As a further application we present an algorithm to simultaneously match all maximal order types with their associated j-invariants. Our algorithm has running time O(p^{2.5+ε}) operations and is more efficient than Cervino's algorithm for the same problem.
△ Less
Submitted 23 October, 2014; v1 submitted 29 January, 2013;
originally announced January 2013.
-
Distortion maps for genus two curves
Authors:
Steven D. Galbraith,
Jordi Pujolàs,
Christophe Ritzenthaler,
Benjamin Smith
Abstract:
Distortion maps are a useful tool for pairing based cryptography. Compared with elliptic curves, the case of hyperelliptic curves of genus g > 1 is more complicated since the full torsion subgroup has rank 2g. In this paper we prove that distortion maps always exist for supersingular curves of genus g>1 and we construct distortion maps in genus 2 (for embedding degrees 4,5,6 and 12).
Distortion maps are a useful tool for pairing based cryptography. Compared with elliptic curves, the case of hyperelliptic curves of genus g > 1 is more complicated since the full torsion subgroup has rank 2g. In this paper we prove that distortion maps always exist for supersingular curves of genus g>1 and we construct distortion maps in genus 2 (for embedding degrees 4,5,6 and 12).
△ Less
Submitted 15 November, 2006;
originally announced November 2006.
-
Discrete Logarithms in Generalized Jacobians
Authors:
S. D. Galbraith,
B. A. Smith
Abstract:
Déchène has proposed generalized Jacobians as a source of groups for public-key cryptosystems based on the hardness of the Discrete Logarithm Problem (DLP). Her specific proposal gives rise to a group isomorphic to the semidirect product of an elliptic curve and a multiplicative group of a finite field. We explain why her proposal has no advantages over simply taking the direct product of groups…
▽ More
Déchène has proposed generalized Jacobians as a source of groups for public-key cryptosystems based on the hardness of the Discrete Logarithm Problem (DLP). Her specific proposal gives rise to a group isomorphic to the semidirect product of an elliptic curve and a multiplicative group of a finite field. We explain why her proposal has no advantages over simply taking the direct product of groups. We then argue that generalized Jacobians offer poorer security and efficiency than standard Jacobians.
△ Less
Submitted 2 October, 2006;
originally announced October 2006.
