2 research outputs found
On the Hardness of Computing Endomorphism Rings of Supersingular Elliptic Curves
Cryptosystems based on supersingular isogenies have been
proposed recently for use in post-quantum cryptography. Three problems have
emerged related to their hardness: computing an isogeny between two
curves, computing the endomorphism ring of a curve, and computing
a maximal order associated to it. While some of these problems
are believed to be polynomial-time equivalent based on heuristics,
their relationship is still unknown. We give the first reduction
between these problems, with the aid of one more problem which we
call Action-on--Torsion. We show that computing -power
isogenies reduces to computing maximal orders and
Action-on--Torsion.
We also define the notion of a compact representation of an
endomorphism, and use this to show that endomorphism rings always
have polynomial representation size. We then reduce the
endomorphism ring problem to computing maximal orders and
Action-on--Torsion, thus laying the foundation for analysis of
the hardness of endomorphism ring computation. This identifies
these last two problems as one possible way to attack some systems,
such as hash functions based on the -isogeny graph of
supersingular elliptic curves. This gives the potential to use
algebraic tools in quaternion algebras to solve the problems.
We also discuss how these reductions apply to attacks on a
hash function of Charles, Goren, and Lauter
Supersingular isogeny graphs and endomorphism rings:reductions and solutions
In this paper, we study several related computational problems for supersingular elliptic curves, their isogeny graphs, and their endomorphism rings. We prove reductions between the problem of path finding in the -isogeny graph, computing maximal orders isomorphic to the endomorphism ring of a supersingular elliptic curve, and computing the endomorphism ring itself. We also give constructive versions of Deuring’s correspondence, which associates to a maximal order in a certain quaternion algebra an isomorphism class of supersingular elliptic curves. The reductions are based on heuristics regarding the distribution of norms of elements in quaternion algebras. We show that conjugacy classes of maximal orders have a representative of polynomial size, and we define a way to represent endomorphism ring generators in a way that allows for efficient evaluation at points on the curve. We relate these problems to the security of the Charles-Goren-Lauter hash function. We provide a collision attack for special but natural parameters of the hash function and prove that for general parameters its preimage and collision resistance are also equivalent to the endomorphism ring computation problem.SCOPUS: cp.kinfo:eu-repo/semantics/published37th Annual International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT 2018; Tel Aviv; Israel; 29 April 2018 through 3 May 2018ISBN: 978-331978371-0Volume Editors: Nielsen J.B.Rijmen V.Publisher: Springer Verla