Genus Two Isogeny Cryptography

  • E. V. Flynn
  • Yan Bo TiEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11505)


We study \((\ell ,\ell )\)-isogeny graphs of principally polarised supersingular abelian surfaces (PPSSAS). The \((\ell ,\ell )\)-isogeny graph has cycles of small length that can be used to break the collision resistance assumption of the genus two isogeny hash function suggested by Takashima. Algorithms for computing (2, 2)-isogenies on the level of Jacobians and (3, 3)-isogenies on the level of Kummers are used to develop a genus two version of the supersingular isogeny Diffie–Hellman protocol of Jao and de Feo. The genus two isogeny Diffie–Hellman protocol achieves the same level of security as SIDH but uses a prime with a third of the bit length.


Post-quantum cryptography Isogeny-based cryptography Cryptanalysis Key exchange Hash function 



The authors would like to thank Steven Galbraith, Lukas Zobernig, Chloe Martindale, Luca de Feo and David Kohel for enlightening discussions. In particular, we thank Steven for the idea of the cryptanalysis of the hash function. We also thank the reviewers for suggesting improvements to the paper, most of which we have tried to include.

Supplementary material


  1. 1.
    Bruin, N., Doerksen, K.: The arithmetic of genus two curves with (4, 4)-split Jacobians. Can. J. Math. 63, 992–1024 (2009)MathSciNetCrossRefGoogle Scholar
  2. 2.
    Bruin, N., Flynn, E.V., Testa, D.: Descent via (3, 3)-isogeny on Jacobians of genus 2 curves. Acta Arithmetica 165 (2014)MathSciNetCrossRefGoogle Scholar
  3. 3.
    Cassels, J.W.S., Flynn, E.V.: Prolegomena to a Middlebrow Arithmetic of Curves of Genus 2. London Mathematical Society Lecture Note Series. Cambridge University Press, Cambridge (1996)CrossRefGoogle Scholar
  4. 4.
    Charles, D.X., Lauter, K.E., Goren, E.Z.: Cryptographic hash functions from expander graphs. J. Cryptol. 22(1), 93–113 (2009)MathSciNetCrossRefGoogle Scholar
  5. 5.
    Costello, C.: Computing supersingular isogenies on kummer surfaces. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11274, pp. 428–456. Springer, Cham (2018). Scholar
  6. 6.
    Couveignes, J.M.: Hard homogeneous spaces. Cryptology ePrint Archive, Report 2006/291 (2006).
  7. 7.
    Eisenträger, K., Hallgren, S., Lauter, K., Morrison, T., Petit, C.: Supersingular isogeny graphs and endomorphism rings: reductions and solutions. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 329–368. Springer, Cham (2018). Scholar
  8. 8.
    Galbraith, S.D.: Mathematics of Public Key Cryptography, 1st edn. Cambridge University Press, New York (2012)CrossRefGoogle Scholar
  9. 9.
    Galbraith, S.D., Petit, C., Shani, B., Ti, Y.B.: On the security of supersingular isogeny cryptosystems. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 63–91. Springer, Heidelberg (2016). Scholar
  10. 10.
    Gélin, A., Wesolowski, B.: Loop-abort faults on supersingular isogeny cryptosystems. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 93–106. Springer, Cham (2017). Scholar
  11. 11.
    Gonzalez, J., Guàrdia, J., Rotger, V.: Abelian surfaces of GL[2]-type as Jacobians of curves. Acta Arithmetica 116, 263–287 (2005)MathSciNetCrossRefGoogle Scholar
  12. 12.
    Jao, D., De Feo, L.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 19–34. Springer, Heidelberg (2011). Scholar
  13. 13.
    Kohel, D., Lauter, K., Petit, C., Tignol, J.: On the quaternion \(\ell \)-isogeny path problem. LMS J. Comput. Math. 17(Special issue A), 418–432 (2014)MathSciNetCrossRefGoogle Scholar
  14. 14.
    De Feo, L., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. J. Math. Cryptol. 8(3), 209–247 (2014)MathSciNetzbMATHGoogle Scholar
  15. 15.
    Milne, J.S.: Abelian varieties. In: Cornell, G., Silverman, J.H. (eds.) Arithmetic Geometry, pp. 103–150. Springer, New York (1986). Scholar
  16. 16.
    Mumford, D.: Abelian Varieties, Tata Institute of Fundamental Research Studies in Mathematics, vol. 5. Tata Institute of Fundamental Research, Bombay (2008)Google Scholar
  17. 17.
    Petit, C.: Faster algorithms for isogeny problems using torsion point images. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 330–353. Springer, Cham (2017). Scholar
  18. 18.
    Rostovtsev, A., Stolbunov, A.: Public-key cryptosystem based on isogenies. Cryptology ePrint Archive, Report 2006/145 (2006).
  19. 19.
    Serre, J.P.: Algebraic Groups and Class Fields. Graduate Texts in Mathematics, vol. 117. Springer, New York (1988). Translated from the FrenchCrossRefzbMATHGoogle Scholar
  20. 20.
    Smith, B.: Explicit endomorphisms and correspondences. Ph.D. thesis, University of Sydney (2005)Google Scholar
  21. 21.
    Takashima, K.: Efficient algorithms for isogeny sequences and their cryptographic applications. In: Takagi, T., Wakayama, M., Tanaka, K., Kunihiro, N., Kimoto, K., Duong, D.H. (eds.) Mathematical Modelling for Next-Generation Cryptography. MI, vol. 29, pp. 97–114. Springer, Singapore (2018). Scholar
  22. 22.
    Takashima, K., Yoshida, R.: An algorithm for computing a sequence of richelot isogenies. Bull. Korean Math. Soc. 46, 789–802 (2009)MathSciNetCrossRefGoogle Scholar
  23. 23.
    Tani, S.: Claw finding algorithms using quantum walk. arXiv e-prints (2007)Google Scholar
  24. 24.
    Ti, Y.B.: Fault attack on supersingular isogeny cryptosystems. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 107–122. Springer, Cham (2017). Scholar
  25. 25.
    Vélu, J.: Isogénies entre courbes elliptiques. C.R. Acad. Sci. Paris, Série A. 273, 238–241 (1971)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Mathematical InstituteOxford UniversityOxfordUK
  2. 2.Mathematics DepartmentUniversity of AucklandAucklandNew Zealand

Personalised recommendations