TY - JOUR
T1 - Failing to hash into supersingular isogeny graphs
AU - Petit, Christophe
AU - Booher, Jeremie
AU - Bowden, Ross
AU - Doliskani, Javad
AU - Fouotsa, Tako Boris
AU - Galbraith, Steven D.
AU - Kunzweiler, Sabrina
AU - Merz, Simon-Philipp
AU - Smith, Benjamin
AU - Stange, Katherine E.
AU - Ti, Yan Bo
AU - Vincent, Christelle
AU - Voloch, José Felipe
AU - Weitkämper, Charlotte
AU - Zobernig, Lukas
N1 - Not yet published as of 22/04/2024
PY - 2024/3/27
Y1 - 2024/3/27
N2 - An important open problem in supersingular isogeny-based cryptography is to produce, without a trusted authority, concrete examples of ``hard supersingular curves'' that is, equations for supersingular curves for which computing the endomorphism ring is as difficult as it is for random supersingular curves. A related open problem is to produce a hash function to the vertices of the supersingular $\ell$-isogeny graph which does not reveal the endomorphism ring, or a path to a curve of known endomorphism ring. Such a hash function would open up interesting cryptographic applications. In this paper, we document a number of (thus far) failed attempts to solve this problem, in the hope that we may spur further research, and shed light on the challenges and obstacles to this endeavour. The mathematical approaches contained in this article include: \begin{enumerate*}[label=(\roman*)] \item iterative root-finding for the supersingular polynomial; \item gcd's of specialized modular polynomials; \item using division polynomials to create small systems of equations; \item taking random walks in the isogeny graph of abelian surfaces, and applying Kummer surfaces; and \item using quantum random walks. \end{enumerate*}
AB - An important open problem in supersingular isogeny-based cryptography is to produce, without a trusted authority, concrete examples of ``hard supersingular curves'' that is, equations for supersingular curves for which computing the endomorphism ring is as difficult as it is for random supersingular curves. A related open problem is to produce a hash function to the vertices of the supersingular $\ell$-isogeny graph which does not reveal the endomorphism ring, or a path to a curve of known endomorphism ring. Such a hash function would open up interesting cryptographic applications. In this paper, we document a number of (thus far) failed attempts to solve this problem, in the hope that we may spur further research, and shed light on the challenges and obstacles to this endeavour. The mathematical approaches contained in this article include: \begin{enumerate*}[label=(\roman*)] \item iterative root-finding for the supersingular polynomial; \item gcd's of specialized modular polynomials; \item using division polynomials to create small systems of equations; \item taking random walks in the isogeny graph of abelian surfaces, and applying Kummer surfaces; and \item using quantum random walks. \end{enumerate*}
UR - https://academic.oup.com/comjnl
M3 - Article
SN - 0010-4620
JO - The Computer Journal
JF - The Computer Journal
ER -