98 research outputs found
Horizontal isogeny graphs of ordinary abelian varieties and the discrete logarithm problem
Fix an ordinary abelian variety defined over a finite field. The ideal class
group of its endomorphism ring acts freely on the set of isogenous varieties
with same endomorphism ring, by complex multiplication. Any subgroup of the
class group, and generating set thereof, induces an isogeny graph on the orbit
of the variety for this subgroup. We compute (under the Generalized Riemann
Hypothesis) some bounds on the norms of prime ideals generating it, such that
the associated graph has good expansion properties.
We use these graphs, together with a recent algorithm of Dudeanu, Jetchev and
Robert for computing explicit isogenies in genus 2, to prove random
self-reducibility of the discrete logarithm problem within the subclasses of
principally polarizable ordinary abelian surfaces with fixed endomorphism ring.
In addition, we remove the heuristics in the complexity analysis of an
algorithm of Galbraith for explicitly computing isogenies between two elliptic
curves in the same isogeny class, and extend it to a more general setting
including genus 2.Comment: 18 page
Isogeny graphs of ordinary abelian varieties
Fix a prime number . Graphs of isogenies of degree a power of
are well-understood for elliptic curves, but not for higher-dimensional abelian
varieties. We study the case of absolutely simple ordinary abelian varieties
over a finite field. We analyse graphs of so-called -isogenies,
resolving that they are (almost) volcanoes in any dimension. Specializing to
the case of principally polarizable abelian surfaces, we then exploit this
structure to describe graphs of a particular class of isogenies known as
-isogenies: those whose kernels are maximal isotropic subgroups
of the -torsion for the Weil pairing. We use these two results to write
an algorithm giving a path of computable isogenies from an arbitrary absolutely
simple ordinary abelian surface towards one with maximal endomorphism ring,
which has immediate consequences for the CM-method in genus 2, for computing
explicit isogenies, and for the random self-reducibility of the discrete
logarithm problem in genus 2 cryptography.Comment: 36 pages, 4 figure
The supersingular Endomorphism Ring and One Endomorphism problems are equivalent
The supersingular Endomorphism Ring problem is the following: given a
supersingular elliptic curve, compute all of its endomorphisms. The presumed
hardness of this problem is foundational for isogeny-based cryptography. The
One Endomorphism problem only asks to find a single non-scalar endomorphism. We
prove that these two problems are equivalent, under probabilistic polynomial
time reductions. We prove a number of consequences. First, assuming the
hardness of the endomorphism ring problem, the Charles--Goren--Lauter hash
function is collision resistant, and the SQIsign identification protocol is
sound. Second, the endomorphism ring problem is equivalent to the problem of
computing arbitrary isogenies between supersingular elliptic curves, a result
previously known only for isogenies of smooth degree. Third, there exists an
unconditional probabilistic algorithm to solve the endomorphism ring problem in
time O~(sqrt(p)), a result that previously required to assume the generalized
Riemann hypothesis. To prove our main result, we introduce a flexible framework
for the study of isogeny graphs with additional information. We prove a general
and easy-to-use rapid mixing theorem
Discrete logarithms in quasi-polynomial time in finite fields of fixed characteristic
We prove that the discrete logarithm problem can be solved in quasi-polynomial expected time in the multiplicative group of finite fields of fixed characteristic. More generally, we prove that it can be solved in the field of cardinality pn in expected time (pn)2log2(n)+O(1)
The supersingular endomorphism ring problem given one endomorphism
Given a supersingular elliptic curve E and a non-scalar endomorphism
of E, we prove that the endomorphism ring of E can be computed in classical
time about disc(Z[])^1/4 , and in quantum subexponential time, assuming
the generalised Riemann hypothesis. Previous results either had higher
complexities, or relied on heuristic assumptions. Along the way, we prove that
the Primitivisation problem can be solved in polynomial time (a problem
previously believed to be hard), and we prove that the action of smooth ideals
on oriented elliptic curves can be computed in polynomial time (previous
results of this form required the ideal to be powersmooth, i.e., not divisible
by any large prime power). Following the attacks on SIDH, isogenies in high
dimension are a central ingredient of our results
Malleability of the blockchain’s entropy
Trustworthy generation of public random numbers is necessary for the security of a number of cryptographic applications. It was suggested to use the inherent unpredictability of blockchains as a source of public randomness. Entropy from the Bitcoin blockchain in particular has been used in lotteries and has been suggested for a number of other applications ranging from smart contracts to election auditing. In this Arcticle, we analyse this idea and show how an adversary could manipulate these random numbers, even with limited computational power and financial budget
Efficient verifiable delay functions
We construct a verifiable delay function (VDF). A VDF is a function whose evaluation requires running a given number of sequential steps, yet the result can be efficiently verified. They have applications in decentralised systems, such as the generation of trustworthy public randomness in a trustless environment, or resource-efficient blockchains. To construct our VDF, we actually build a trapdoor VDF. A trapdoor VDF is essentially a VDF which can be evaluated efficiently by parties who know a secret (the trapdoor). By setting up this scheme in a way that the trapdoor is unknown (not even by the party running the setup, so that there is no need for a trusted setup environment), we obtain a simple VDF. Our construction is based on groups of unknown order such as an RSA group, or the class group of an imaginary quadratic field. The output of our construction is very short (the result and the proof of correctness are each a single element of the group), and the verification of correctness is very efficient
- …