Failing to hash into supersingular isogeny graphs

Jeremy Booher; Ross Bowden; Javad Doliskani; Tako Boris Fouotsa; Steven D.  Galbraith; Sabrina Kunzweiler; Simon-Philipp Merz; Christophe Petit; Benjamin Smith; Katherine E. Stange; Yan Bo Ti; Christelle Vincent; José Felipe Voloch; Charlotte Weitkämper; Lukas Zobernig

Paper 2022/518

Failing to hash into supersingular isogeny graphs

Jeremy Booher, University of Canterbury

Ross Bowden, University of Bristol

Javad Doliskani, Ryerson University

Tako Boris Fouotsa, École Polytechnique Fédérale de Lausanne

Steven D. Galbraith, The University of Auckland

Sabrina Kunzweiler, Ruhr-Universität Bochum

Simon-Philipp Merz, Royal Holloway University of London

Christophe Petit, Université Libre de Bruxelles

Benjamin Smith, École Polytechnique

Katherine E. Stange, University of Colorado Boulder

Yan Bo Ti, DSO National Laboratories

Christelle Vincent, University of Vermont

José Felipe Voloch, University of Canterbury

Charlotte Weitkämper, University of Birmingham

Lukas Zobernig, The University of Auckland

Abstract

An important open problem in supersingular isogeny-based cryptography is to produce, without a trusted authority, concrete examples of "hard supersingular curves" that is, equations for supersingular curves for which computing the endomorphism ring is as difficult as it is for random supersingular curves. A related open problem is to produce a hash function to the vertices of the supersingular ℓ-isogeny graph which does not reveal the endomorphism ring, or a path to a curve of known endomorphism ring. Such a hash function would open up interesting cryptographic applications. In this paper, we document a number of (thus far) failed attempts to solve this problem, in the hope that we may spur further research, and shed light on the challenges and obstacles to this endeavour. The mathematical approaches contained in this article include: (i) iterative root-finding for the supersingular polynomial; (ii) gcd's of specialized modular polynomials; (iii) using division polynomials to create small systems of equations; (iv) taking random walks in the isogeny graph of abelian surfaces; and (v) using quantum random walks.

Metadata

Available format(s): PDF
Category: Public-key cryptography
Publication info: Preprint.
Keywords: supersingular isogeny elliptic curve hashing
Contact author(s): jeremy booher @ canterbury ac nz
ross bowden @ bristol ac uk
javad doliskani @ ryerson ca
tako fouotsa @ epfl ch
s galbraith @ auckland ac nz
sabrina kunzweiler @ ruhr-uni-bochum de
simon-philipp merz 2018 @ rhul ac uk
christophe f petit @ gmail com
smith @ lix polytechnique fr
kstange @ math colorado edu
yanbo ti @ gmail com
christelle vincent @ uvm edu
felipe voloch @ canterbury ac nz
c weitkaemper @ pgr bham ac uk
lukas zobernig @ auckland ac nz
History: 2022-10-19: revised; 2022-05-02: received; See all versions
Short URL: https://ia.cr/2022/518
License: CC BY

BibTeX

@misc{cryptoeprint:2022/518,
      author = {Jeremy Booher and Ross Bowden and Javad Doliskani and Tako Boris Fouotsa and Steven D.  Galbraith and Sabrina Kunzweiler and Simon-Philipp Merz and Christophe Petit and Benjamin Smith and Katherine E. Stange and Yan Bo Ti and Christelle Vincent and José Felipe Voloch and Charlotte Weitkämper and Lukas Zobernig},
      title = {Failing to hash into supersingular isogeny graphs},
      howpublished = {Cryptology ePrint Archive, Paper 2022/518},
      year = {2022},
      note = {\url{https://eprint.iacr.org/2022/518}},
      url = {https://eprint.iacr.org/2022/518}
}