Failing to hash into supersingular isogeny graphs

Christophe Petit; Jeremie Booher; Ross Bowden; Javad Doliskani; Tako Boris Fouotsa; Steven D. Galbraith; Sabrina Kunzweiler; Simon-Philipp Merz; Benjamin Smith; Katherine E. Stange; Yan Bo Ti; Christelle Vincent; José Felipe Voloch; Charlotte Weitkämper; Lukas Zobernig

Failing to hash into supersingular isogeny graphs

Christophe Petit, Jeremie Booher, Ross Bowden, Javad Doliskani, Tako Boris Fouotsa, Steven D. Galbraith, Sabrina Kunzweiler, Simon-Philipp Merz, Benjamin Smith, Katherine E. Stange, Yan Bo Ti, Christelle Vincent, José Felipe Voloch, Charlotte Weitkämper, Lukas Zobernig

Computer Science

Research output: Contribution to journal › Article › peer-review

3 Downloads (Pure)

Abstract

An important open problem in supersingular isogeny-based cryptography is to produce, without a trusted authority, concrete examples of ``hard supersingular curves'' that is, equations for supersingular curves for which computing the endomorphism ring is as difficult as it is for random supersingular curves. A related open problem is to produce a hash function to the vertices of the supersingular $\ell$-isogeny graph which does not reveal the endomorphism ring, or a path to a curve of known endomorphism ring. Such a hash function would open up interesting cryptographic applications. In this paper, we document a number of (thus far) failed attempts to solve this problem, in the hope that we may spur further research, and shed light on the challenges and obstacles to this endeavour. The mathematical approaches contained in this article include: \begin{enumerate*}[label=(\roman*)] \item iterative root-finding for the supersingular polynomial; \item gcd's of specialized modular polynomials; \item using division polynomials to create small systems of equations; \item taking random walks in the isogeny graph of abelian surfaces, and applying Kummer surfaces; and \item using quantum random walks. \end{enumerate*}

Original language	English
Journal	The Computer Journal
Publication status	Accepted/In press - 27 Mar 2024

Bibliographical note

Not yet published as of 22/04/2024

Embargoed Document

PetitC2024Failing_AAM
Accepted author manuscript, 831 KB
Embargo ends: 20/05/24

Cite this

@article{99ba2f4b305247f1ab37f067c5945af2,

title = "Failing to hash into supersingular isogeny graphs",

abstract = "An important open problem in supersingular isogeny-based cryptography is to produce, without a trusted authority, concrete examples of ``hard supersingular curves'' that is, equations for supersingular curves for which computing the endomorphism ring is as difficult as it is for random supersingular curves. A related open problem is to produce a hash function to the vertices of the supersingular $\ell$-isogeny graph which does not reveal the endomorphism ring, or a path to a curve of known endomorphism ring. Such a hash function would open up interesting cryptographic applications. In this paper, we document a number of (thus far) failed attempts to solve this problem, in the hope that we may spur further research, and shed light on the challenges and obstacles to this endeavour. The mathematical approaches contained in this article include: \begin{enumerate*}[label=(\roman*)] \item iterative root-finding for the supersingular polynomial; \item gcd's of specialized modular polynomials; \item using division polynomials to create small systems of equations; \item taking random walks in the isogeny graph of abelian surfaces, and applying Kummer surfaces; and \item using quantum random walks. \end{enumerate*}",

author = "Christophe Petit and Jeremie Booher and Ross Bowden and Javad Doliskani and Fouotsa, {Tako Boris} and Galbraith, {Steven D.} and Sabrina Kunzweiler and Simon-Philipp Merz and Benjamin Smith and Stange, {Katherine E.} and Ti, {Yan Bo} and Christelle Vincent and Voloch, {Jos{\'e} Felipe} and Charlotte Weitk{\"a}mper and Lukas Zobernig",

note = "Not yet published as of 22/04/2024",

year = "2024",

month = mar,

day = "27",

language = "English",

journal = "The Computer Journal",

issn = "0010-4620",

publisher = "Oxford University Press",

}

TY - JOUR

T1 - Failing to hash into supersingular isogeny graphs

AU - Petit, Christophe

AU - Booher, Jeremie

AU - Bowden, Ross

AU - Doliskani, Javad

AU - Fouotsa, Tako Boris

AU - Galbraith, Steven D.

AU - Kunzweiler, Sabrina

AU - Merz, Simon-Philipp

AU - Smith, Benjamin

AU - Stange, Katherine E.

AU - Ti, Yan Bo

AU - Vincent, Christelle

AU - Voloch, José Felipe

AU - Weitkämper, Charlotte

AU - Zobernig, Lukas

N1 - Not yet published as of 22/04/2024

PY - 2024/3/27

Y1 - 2024/3/27

N2 - An important open problem in supersingular isogeny-based cryptography is to produce, without a trusted authority, concrete examples of ``hard supersingular curves'' that is, equations for supersingular curves for which computing the endomorphism ring is as difficult as it is for random supersingular curves. A related open problem is to produce a hash function to the vertices of the supersingular $\ell$-isogeny graph which does not reveal the endomorphism ring, or a path to a curve of known endomorphism ring. Such a hash function would open up interesting cryptographic applications. In this paper, we document a number of (thus far) failed attempts to solve this problem, in the hope that we may spur further research, and shed light on the challenges and obstacles to this endeavour. The mathematical approaches contained in this article include: \begin{enumerate*}[label=(\roman*)] \item iterative root-finding for the supersingular polynomial; \item gcd's of specialized modular polynomials; \item using division polynomials to create small systems of equations; \item taking random walks in the isogeny graph of abelian surfaces, and applying Kummer surfaces; and \item using quantum random walks. \end{enumerate*}

AB - An important open problem in supersingular isogeny-based cryptography is to produce, without a trusted authority, concrete examples of ``hard supersingular curves'' that is, equations for supersingular curves for which computing the endomorphism ring is as difficult as it is for random supersingular curves. A related open problem is to produce a hash function to the vertices of the supersingular $\ell$-isogeny graph which does not reveal the endomorphism ring, or a path to a curve of known endomorphism ring. Such a hash function would open up interesting cryptographic applications. In this paper, we document a number of (thus far) failed attempts to solve this problem, in the hope that we may spur further research, and shed light on the challenges and obstacles to this endeavour. The mathematical approaches contained in this article include: \begin{enumerate*}[label=(\roman*)] \item iterative root-finding for the supersingular polynomial; \item gcd's of specialized modular polynomials; \item using division polynomials to create small systems of equations; \item taking random walks in the isogeny graph of abelian surfaces, and applying Kummer surfaces; and \item using quantum random walks. \end{enumerate*}

UR - https://academic.oup.com/comjnl

M3 - Article

SN - 0010-4620

JO - The Computer Journal

JF - The Computer Journal

ER -

Failing to hash into supersingular isogeny graphs

Abstract

Bibliographical note

Embargoed Document

Fingerprint

Cite this