10 research outputs found
Adventures in Supersingularland
In this paper, we study isogeny graphs of supersingular elliptic curves.
Supersingular isogeny graphs were introduced as a hard problem into
cryptography by Charles, Goren, and Lauter for the construction of
cryptographic hash functions [CGL06]. These are large expander graphs, and the
hard problem is to find an efficient algorithm for routing, or path-finding,
between two vertices of the graph. We consider four aspects of supersingular
isogeny graphs, study each thoroughly and, where appropriate, discuss how they
relate to one another.
First, we consider two related graphs that help us understand the structure:
the `spine' , which is the subgraph of
given by the -invariants in
, and the graph , in which both
curves and isogenies must be defined over . We show how to pass
from the latter to the former. The graph is relevant for
cryptanalysis because routing between vertices in is easier than
in the full isogeny graph. The -vertices are typically assumed to
be randomly distributed in the graph, which is far from true. We provide an
analysis of the distances of connected components of .
Next, we study the involution on
that is given by the Frobenius of and give heuristics on how
often shortest paths between two conjugate -invariants are preserved by this
involution (mirror paths). We also study the related question of what
proportion of conjugate -invariants are -isogenous for .
We conclude with experimental data on the diameters of supersingular isogeny
graphs when and compare this with previous results on diameters of
LPS graphs and random Ramanujan graphs.Comment: 46 pages. Comments welcom
Rational isogenies from irrational endomorphisms
In this paper, we introduce a polynomial-time algorithm to compute a connecting -ideal between two supersingular elliptic curves over with common -endomorphism ring , given a description of their full endomorphism rings. This algorithm provides a reduction of the security of the CSIDH cryptosystem to the problem of computing endomorphism rings of supersingular elliptic curves. A similar reduction for SIDH appeared at Asiacrypt 2016, but relies on totally different techniques. Furthermore, we also show that any supersingular elliptic curve constructed using the complex-multiplication method can be located precisely in the supersingular isogeny graph by explicitly deriving a path to a known base curve. This result prohibits the use of such curves as a building block for a hash function into the supersingular isogeny graph
Towards a Quantum-resistant Weak Verifiable Delay Function
In this paper, we present a new quantum-resistant weak Verifiable Delay Function based on a purely algebraic construction. Its delay depends on computing a large-degree isogeny between elliptic curves, whereas its verification relies on the computation of isogenies between products of two elliptic curves. One of its major advantages is its expected fast verification time. However, it is important to note that the practical implementation of our theoretical framework poses significant challenges. We examine the strengths and weaknesses of our construction, analyze its security and provide a proof-of-concept implementation
Failing to hash into supersingular isogeny graphs
An important open problem in supersingular isogeny-based cryptography is to
produce, without a trusted authority, concrete examples of "hard supersingular
curves" that is, equations for supersingular curves for which computing the
endomorphism ring is as difficult as it is for random supersingular curves. A
related open problem is to produce a hash function to the vertices of the
supersingular -isogeny graph which does not reveal the endomorphism ring,
or a path to a curve of known endomorphism ring. Such a hash function would
open up interesting cryptographic applications. In this paper, we document a
number of (thus far) failed attempts to solve this problem, in the hope that we
may spur further research, and shed light on the challenges and obstacles to
this endeavour. The mathematical approaches contained in this article include:
(i) iterative root-finding for the supersingular polynomial; (ii) gcd's of
specialized modular polynomials; (iii) using division polynomials to create
small systems of equations; (iv) taking random walks in the isogeny graph of
abelian surfaces; and (v) using quantum random walks.Comment: 33 pages, 7 figure
Higher-degree supersingular group actions
International audienceWe investigate the isogeny graphs of supersingular elliptic curves over equipped with a -isogeny to their Galois conjugate. These curves are interesting because they are, in a sense, a generalization of curves defined over , and there is an action of the ideal class group of on the isogeny graphs. We investigate constructive and destructive aspects of these graphs in isogeny-based cryptography, including generalizations of the CSIDH cryptosystem and the Delfs-Galbraith algorithm
Recommended from our members
AN EXPOSITION OF ELLIPTIC CURVE CRYPTOGRAPHY
Protecting information that is being communicated between two parties overunsecured channels is of huge importance in today’s world. The use of mathematical concepts to achieve high levels of security when communicating over these unsecured platforms is cryptography. The world of cryptography is always expanding and growing. In this paper, we set out to explore the use of elliptic curves in the cryptography of today, as well as the cryptography of the future.We also offer our own original cryptosystem, CSDH. This system on its ownoffers some moderate level of security. It shares many similarities to the post-quantum, SIDH system. The parallels between these two systems can lead to a deeper understanding of the systems offered for our post-quantum world
Security Analysis of Isogeny-Based Cryptosystems
Let be a supersingular elliptic curve over a finite field.
In this document we study public-key encryption schemes which use non-constant rational maps from .
The purpose of this study is to determine if such cryptosystems are secure.
Supersingular Isogeny Diffie-Hellman (SIDH) and other supersingular isogeny-based cryptosystems are considered.
The content is naturally divided by cryptosystem, and in the case of SIDH, further divided by type of cryptanalysis:
SIDH when the endomorphism ring of the base elliptic curve is given (as is done in practice), repeated use of keys in SIDH, and endomorphism ring constructing algorithms.
In each case the relevent background material is presented to develop the theory.
In studying the security of SIDH when the endomorphism ring of the base curve is known, one of the main results is the following.
This theorem is then used to reduce the security of such an SIDH instantiation to the problem of finding particular endomorphisms in \End(E).
\begin{thm}
Given
\begin{enumerate}
\item a supersingular elliptic curve E/\FQ such that for coprime , where is -smooth,
\item an elliptic curve that is the codomain of an -isogeny ,
\item the action of on , and
\item a -endomorphism of , where , and if \g is the greatest integer such that and , then \h := \frac{k}{g} < N_1,
\end{enumerate}
there exists a classical algorithm with worst case runtime \tilde{O}(\h^3) which decides whether or not, but may give false positives with probability .
Further, if \h is -smooth, then the runtime is \tilde{O} (\sqrt{\h}).
\end{thm}
In studying the security of repeated use of SIDH public keys, the main result presented is the following theorem, which proves that performing multiple pairwise instances of SIDH prevents certain active attacks when keys are reused.
\begin{thm}
Assuming that the CSSI problem is intractable, it is computationally infeasible for a malicious adversary, with non-negligible probability, to modify a public key to some which is malicious for SIDH.
\end{thm}
It is well known that the problem of computing hidden supersingular isogenies can be reduced to computing the endomorphism rings of the domain and codomain elliptic curves.
A novel algorithm for computing an order in the endomorphism ring of a supersingular elliptic curve is presented and analyzed to have runtime .
In studying non-SIDH cryptosystems, four other isogeny-based cryptosystems are examined.
The first three were all proposed by the same authors and use secret endomorphisms.
These are each shown to be either totally insecure (private keys can be recovered directly from public keys) or impractical to implement efficiently.
The fourth scheme is a novel proposal which attempts to combine isogenies with the learning with errors problem.
This proposal is also shown to be totally insecure