Abstract
We study \((\ell ,\ell )\)-isogeny graphs of principally polarised supersingular abelian surfaces (PPSSAS). The \((\ell ,\ell )\)-isogeny graph has cycles of small length that can be used to break the collision resistance assumption of the genus two isogeny hash function suggested by Takashima. Algorithms for computing (2, 2)-isogenies on the level of Jacobians and (3, 3)-isogenies on the level of Kummers are used to develop a genus two version of the supersingular isogeny Diffie–Hellman protocol of Jao and de Feo. The genus two isogeny Diffie–Hellman protocol achieves the same level of security as SIDH but uses a prime with a third of the bit length.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
To see this, note that each \(e_{\ell }(P_i,P_j)=\mu ^{\alpha _{i,j}}\), where \(\mu \) is an \(\ell \)-root of unity and \(\alpha _{i,j}\) is some non-zero integer. We can express the isotropic condition as
$$b_4(\alpha _{1,4}a_1+\alpha _{2,4}a_2+\alpha _{3,4}a_3)\equiv \begin{array}{l} \alpha _{1,2}(a_2b_1-a_1b_2)+\alpha _{1,3}(a_3b_1-a_1b_3)\\ +\alpha _{2,3}(a_3b_2-a_2b_3)+\alpha _{1,4}a_4b_1\\ +\alpha _{2,4}a_4b_2+\alpha _{3,4}a_4b_3 \end{array}\pmod {\ell }. $$In the case where \((\alpha _{1,4}a_1+\alpha _{2,4}a_2+\alpha _{3,4}a_3\not \equiv 0\), we have free choices for \(b_1,b_2,b_3\) (not all divisible by \(\ell \)) and so have \(\ell ^{3n}-\ell ^{3n-3}\) choices.
- 2.
This will not be a uniformly random choice if one wants to sample the entire keyspace.
- 3.
The files containing the formulae can be found in http://www.cecm.sfu.ca/~nbruin/c3xc3/.
- 4.
Note that we actually mean \(\langle [4]\phi (P),[2]\phi (R)\rangle \), where \(\phi \) corresponds to the (2, 2)-isogeny from (1). We will drop \(\phi \) for ease of notation.
References
Bruin, N., Doerksen, K.: The arithmetic of genus two curves with (4, 4)-split Jacobians. Can. J. Math. 63, 992–1024 (2009)
Bruin, N., Flynn, E.V., Testa, D.: Descent via (3, 3)-isogeny on Jacobians of genus 2 curves. Acta Arithmetica 165 (2014)
Cassels, J.W.S., Flynn, E.V.: Prolegomena to a Middlebrow Arithmetic of Curves of Genus 2. London Mathematical Society Lecture Note Series. Cambridge University Press, Cambridge (1996)
Charles, D.X., Lauter, K.E., Goren, E.Z.: Cryptographic hash functions from expander graphs. J. Cryptol. 22(1), 93–113 (2009)
Costello, C.: Computing supersingular isogenies on kummer surfaces. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11274, pp. 428–456. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03332-3_16
Couveignes, J.M.: Hard homogeneous spaces. Cryptology ePrint Archive, Report 2006/291 (2006). http://eprint.iacr.org/2006/291
Eisenträger, K., Hallgren, S., Lauter, K., Morrison, T., Petit, C.: Supersingular isogeny graphs and endomorphism rings: reductions and solutions. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 329–368. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_11
Galbraith, S.D.: Mathematics of Public Key Cryptography, 1st edn. Cambridge University Press, New York (2012)
Galbraith, S.D., Petit, C., Shani, B., Ti, Y.B.: On the security of supersingular isogeny cryptosystems. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 63–91. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_3
Gélin, A., Wesolowski, B.: Loop-abort faults on supersingular isogeny cryptosystems. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 93–106. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59879-6_6
Gonzalez, J., Guàrdia, J., Rotger, V.: Abelian surfaces of GL[2]-type as Jacobians of curves. Acta Arithmetica 116, 263–287 (2005)
Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 19–34. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25405-5_2
Kohel, D., Lauter, K., Petit, C., Tignol, J.: On the quaternion \(\ell \)-isogeny path problem. LMS J. Comput. Math. 17(Special issue A), 418–432 (2014)
De Feo, L., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptol. 8(3), 209–247 (2014)
Milne, J.S.: Abelian varieties. In: Cornell, G., Silverman, J.H. (eds.) Arithmetic Geometry, pp. 103–150. Springer, New York (1986). https://doi.org/10.1007/978-1-4613-8655-1_5
Mumford, D.: Abelian Varieties, Tata Institute of Fundamental Research Studies in Mathematics, vol. 5. Tata Institute of Fundamental Research, Bombay (2008)
Petit, C.: Faster algorithms for isogeny problems using torsion point images. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 330–353. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70697-9_12
Rostovtsev, A., Stolbunov, A.: Public-key cryptosystem based on isogenies. Cryptology ePrint Archive, Report 2006/145 (2006). http://eprint.iacr.org/
Serre, J.P.: Algebraic Groups and Class Fields. Graduate Texts in Mathematics, vol. 117. Springer, New York (1988). https://doi.org/10.1007/978-1-4612-1035-1. Translated from the French
Smith, B.: Explicit endomorphisms and correspondences. Ph.D. thesis, University of Sydney (2005)
Takashima, K.: Efficient algorithms for isogeny sequences and their cryptographic applications. In: Takagi, T., Wakayama, M., Tanaka, K., Kunihiro, N., Kimoto, K., Duong, D.H. (eds.) Mathematical Modelling for Next-Generation Cryptography. MI, vol. 29, pp. 97–114. Springer, Singapore (2018). https://doi.org/10.1007/978-981-10-5065-7_6
Takashima, K., Yoshida, R.: An algorithm for computing a sequence of richelot isogenies. Bull. Korean Math. Soc. 46, 789–802 (2009)
Tani, S.: Claw finding algorithms using quantum walk. arXiv e-prints (2007)
Ti, Y.B.: Fault attack on supersingular isogeny cryptosystems. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 107–122. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59879-6_7
Vélu, J.: Isogénies entre courbes elliptiques. C.R. Acad. Sci. Paris, Série A. 273, 238–241 (1971)
Acknowledgements
The authors would like to thank Steven Galbraith, Lukas Zobernig, Chloe Martindale, Luca de Feo and David Kohel for enlightening discussions. In particular, we thank Steven for the idea of the cryptanalysis of the hash function. We also thank the reviewers for suggesting improvements to the paper, most of which we have tried to include.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Examples of Isogeny Graphs
We will consider kernels with order 256 in this example. The key to each example is to the find the number of \(C_2\times C_2\) subgroups of each kernel since this would correspond with the number of possible (2, 2)-isogenies. Firstly, we note that the structure of maximal isotropic subgroups of order 256 must be \(C_{16}\times C_{16}\), or \(C_{16}\times C_4\times C_4\), or \(C_{16}\times C_8\times C_2\) by Proposition 2. The isogeny graphs are given in Fig. 1.
The easy case is when the kernel \(K_0\) has the structure \(C_{16}\times C_{16}\). This is because there is only one \(C_2\times C_2\) subgroup in K. Hence, there is only one isogeny path available and we have a straight line.
Now, let us consider the case when \(K_1\) has the structure \(C_{16}\times C_4\times C_4\). We will label the isomorphism classes of the surfaces by (n), where n is a natural number. We will denote the first surface by (1).
We can represent the 3 generators of \(K_1\) by P, Q and R, where their orders are 16, 4 and 4 respectively. There are 3 different \(C_2\times C_2\) subgroups of K given by \(\langle [8]P,[2]Q\rangle \), \(\langle [8]P,[2]R\rangle \) and \(\langle [8]P,[2](Q+R)\rangle \) in accordance to Lemma 2. Hence, we can and will denote the (2, 2)-subgroups of K by the scalar preceding Q and R. For instance, the three subgroups given here are denoted by (2, 0), (0, 2) and (2, 2).
These 3 subgroups lead to non-isomorphic surfaces labelled as (2), (3) and (4). The edges are labelled by the subgroup corresponding to the isogeny.
Consider the vertex (2), and consider the (2, 2)-isogeny from (2) with kernel \(\langle [4]P,[2]R\rangle \)Footnote 4 and denote the codomain by (8). One can see that the isogeny from (1) to (8) has kernel \(\langle [4]P,[2]Q,[2]R\rangle \).
One can also map from (3) and (4) to (8) via the kernels (2,0) and (2,0). Immediately, one can spot the diamonds mentioned prior to this example. Indeed, the diamonds can be seen repeatedly in the graph.
Vertices can form tips of the diamond when there is a \(C_4\times C_2\times C_2\) subgroup in the kernel. This is best illustrated in the next example where the kernel \(K_2\) has structure \(C_{16}\times C_8\times C_2\). Using the notation from the previous example, \(K_2\) will be given by \(\langle P', Q', R'\rangle \), where \(P'=P\), \([2]Q'=Q\) and \(R'=[2]R\).
Starting from the vertex (1) again, we have the same 3 subgroups, which result in the same surfaces (2), (3) and (4). We also have that the three surfaces will all have maps into (8) as before. However, residual kernel at (2) is now isomorphic to \(C_8\times C_8\), hence we see that the isogeny path from (2) down to (18) is a straight line. The residual kernel at (4) on the other hand, is \(C_8\times C_4\times C_2\), hence it contains \(C_4\times C_2\times C_2\) as a subgroup and so, (4) forms the tip of another diamond.
Another thing to note about this case is that the moment R is in the kernel, we cannot have \(C_4\times C_2\times C_2\) as a subgroup of the residual kernel. This can be observed from the diagonal right-to-left lines in Fig. 1b.
Lastly, Fig. 2 shows all the neighbours which are two (2, 2)-isogenies away. So the top vertex is connected to each of the middle and bottom vertices by an isogeny of degree 4 and 16 respectively. The diamonds corresponding to kernels with the structure \(C_4\times C_2\times C_2\), (though contorted) are present and its number is as predicted in Proposition 3.
B Implementation
We have implemented the key exchange scheme in MAGMA using p of 100-bits. This yields a classical security of 75-bits and a quantum security of 50-bits. The first round of the key exchange which required the mapping of points took 145.7 s for Alice and 145.41 s for Bob. The second round of the key exchange took 74.8 s for Alice and 72.29 s for Bob.
The implementation took parameters \(e_A=51\) and \(e_B=32\), and \(f=1\) with
The base hyperelliptic curve is defined by
where \(i^2=-1\) in \(\mathbb {F}_{p^2}\).
The generators of the torsion subgroups are given by
The secret scalars of Alice and Bob are
Using their secret scalars, they will obtain the following pair of hyperelliptic curves
The auxiliary points computed are the following
This allows for both parties to compute the final isogeny to obtain
as their common \(G_2\)-invariants.
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Flynn, E.V., Ti, Y.B. (2019). Genus Two Isogeny Cryptography. In: Ding, J., Steinwandt, R. (eds) Post-Quantum Cryptography. PQCrypto 2019. Lecture Notes in Computer Science(), vol 11505. Springer, Cham. https://doi.org/10.1007/978-3-030-25510-7_16
Download citation
DOI: https://doi.org/10.1007/978-3-030-25510-7_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-25509-1
Online ISBN: 978-3-030-25510-7
eBook Packages: Computer ScienceComputer Science (R0)