Ramanujan graphs in cryptography

In this paper we study the security of a proposal for Post-Quantum Cryptography from both a number theoretic and cryptographic perspective. Charles-Goren-Lauter in 2006 [CGL06] proposed two hash functions based on the hardness of finding paths in Ramanujan graphs. One is based on Lubotzky-Phillips-Sarnak (LPS) graphs and the other one is based on Supersingular Isogeny Graphs. A 2008 paper by Petit-Lauter-Quisquater breaks the hash function based on LPS graphs. On the Supersingular Isogeny Graphs proposal, recent work has continued to build cryptographic applications on the hardness of finding isogenies between supersingular elliptic curves. A 2011 paper by De Feo-Jao-Pl\^{u}t proposed a cryptographic system based on Supersingular Isogeny Diffie-Hellman as well as a set of five hard problems. In this paper we show that the security of the SIDH proposal relies on the hardness of the SIG path-finding problem introduced in [CGL06]. In addition, similarities between the number theoretic ingredients in the LPS and Pizer constructions suggest that the hardness of the path-finding problem in the two graphs may be linked. By viewing both graphs from a number theoretic perspective, we identify the similarities and differences between the Pizer and LPS graphs.Comment: 33 page

Three projects in arithmetic geometry: torsion points and curves of low genus

2019 Fall.Includes bibliographical references.This paper is an exposition of three different projects in arithmetic geometry. All of them consider problems related to smooth curves with low genus and the torsion points of their Jacobians. The first project studies curves over finite fields and two invariants of the p-torsion part of their Jacobians: the a-number (a) and p-rank (f). There are many open questions in the literature about the existence of curves with a certain genus g and given values of a and f. In particular, not much is known when g = 4 and the curve is non-hyperelliptic. This is the case that we focus on here; we collect and analyze statistical data of curves over Fp for p = 3, 5, 7, 11 and their invariants. Then, we study the existence of Cartier points, which are also related to the structure of J[p]. For curves with 0 ≤ a < g, the number of Cartier points is bounded, and it depends on a and f. The second project addresses the problem of computing the endomorphism ring of a supersingular elliptic curve. This question has gained recent interest as the basis of alternative cryptosystems that hope to be resistant to quantum attacks. Our strategy is to generate these endomorphism rings by finding cycles in the l-isogeny graph which correspond to generators of the ring. We were able to find a condition for cycles to be linearly independent and an obstruction for two of them to be generators. Finally, the last chapter considers the Galois representations associated to the n-torsion points of elliptic curves over Q. In concrete, we construct models for the modular curves associated to applicable subgroups of GL₂(Z/nZ) and find the rational points on all of those which result in genus 0 or 1 curves, or prove that they have infinitely many. We also analyze the curves with a hyperelliptic genus 2 model and provably find the rational points on all but seven of them

Post-Quantum Cryptography from Supersingular Isogenies (Theory and Applications of Supersingular Curves and Supersingular Abelian Varieties)

This paper is based on a presentation made at RIMS conference on “Theory and Applications of Supersingular Curves and Supersingular Abelian Varieties”, so-called “Supersingular 2020”. Post-quantum cryptography is a next-generation public-key cryptosystem that resistant to cryptoanalysis by both classical and quantum computers. Isogenies between supersingular elliptic curves present one promising candidate, which is called isogeny-based cryptography. In this paper, we give an introduction to two isogeny-based key exchange protocols, SIDH [17] and CSIDH [2], which are considered as a standard in the subject so far. Moreover, we explain briefly our recent result [24] about cycles in the isogeny graphs used in some parameters of SIKE, which is a key encapsulation mechanism based on SIDH

Orientations and cycles in supersingular isogeny graphs

The paper concerns several theoretical aspects of oriented supersingular $\ell$-isogeny volcanoes and their relationship to closed walks in the supersingular $\ell$-isogeny graph. Our main result is a bijection between the rims of the union of all oriented supersingular $\ell$-isogeny volcanoes over $\overline{\mathbb{F}}_p$ (up to conjugation of the orientations), and isogeny cycles (non-backtracking closed walks which are not powers of smaller walks) of the supersingular $\ell$-isogeny graph over $\overline{\mathbb{F}}_p$. The exact proof and statement of this bijection are made more intricate by special behaviours arising from extra automorphisms and the ramification of $p$ in certain quadratic orders. We use the bijection to count isogeny cycles of given length in the supersingular $\ell$-isogeny graph exactly as a sum of class numbers of these orders, and also give an explicit upper bound by estimating the class numbers

The Existence of Cycles in the Supersingular Isogeny Graphs Used in SIKE

In this paper, we consider the structure of isogeny graphs in SIDH, that is an isogeny-based key-exchange protocol. SIDH is the underlying protocol of SIKE, which is one of the candidates for NIST post quantum cryptography standardization. Since the security of SIDH is based on the hardness of the path-finding problem in isogeny graphs, it is important to study those structure. The existence of cycles in isogeny graph is related to the path-finding problem, so we investigate cycles in the graphs used in SIKE. In particular, we focus on SIKEp434 and SIKEp503, which are the parameter sets of SIKE claimed to satisfy the NIST security level 1 and 2, respectively. We show that there are two cycles in the 3-isogeny graph in SIKEp434, and there is no cycles in the other graphs in SIKEp434 and SIKEp503