The supersingular isogeny problem in genus 2 and beyond Craig Costello and Benjamin Smith ANR CIAO Kickoff meeting, Bordeaux, February 2020 Microsoft Research and Inria + École polytechnique 1
g = 1
• A directed multigraph (but almost a graph) The supersingular isogeny graph • Connected • Ramanujan (excellent expansion properties) 1 For each prime p , we let S 1 ( p ) be the set of supersingular elliptic curves over F p 2 , up to F p 2 -isomorphism: # S 1 ( p ) ≈ ⌊ p / 12 ⌋ ; we can view S 1 ( p ) ⊂ F p 2 via the j -invariant. For primes ℓ ̸ = p , we let Γ 1 ( ℓ ; p ) be the ℓ -isogeny graph on S 1 ( p ) . This is • ( ℓ + 1 ) -regular Random walks in Γ 1 ( ℓ ; p ) of length O (log p ) give a uniform distribution on S 1 ( p ) .
This general problem (our focus today) is related to the security of the Supersingular isogeny problem Charles–Goren–Lauter hash function. SIDH security is related to the special problem of fjnding very short paths short-path problem (not in this talk). 2 The general supersingular elliptic isogeny problem for fjxed ℓ : Given E and E ′ in S 1 ( p ) , fjnd a path from E to E ′ in Γ 1 ( ℓ ; p ) � # S 1 ( p )) = O ( √ p ) classical solution in O ( � √ p ) quantum solution in O ( 4 # S 1 ( p )) = O ( 4 (length < log p. Solving the general problem has important implications for this
The Charles–Goren–Lauter hash function Charles–Goren–Lauter (2009): a hash function with provable collision-resistance properties. System parameters: 3 • A prime p , an ordering on F p 2 (hence on S 1 ( p ) ), and a linear map π : F p 2 → F p • An edge j − 1 → j 0 in Γ 1 ( 2 ; p ) To compute the hash of an n -bit message m = ( m 0 , . . . , m n − 1 ) , we compute a corresponding path j 0 → · · · → j n in Γ 1 ( ℓ ; p ) : for each 0 ≤ i < n , 1. the 3 edges out of j i are j i → j i − 1 , j i → α , and j i → β with α > β 2. if m i = 0, then set j i + 1 = α ; otherwise, set j i + 1 = β The hash value is H ( m ) = π ( j n ) . Solving the isogeny problem for ℓ = 2 = ⇒ fjnding preimages for this hash.
g > 1
though generally only as unpolarized AVs. Higher dimensions: superspecial and supersingular 4 A g -dimensional PPAV A is Super singular if all slopes of the Newton polygon of its Frobenius are 1 / 2. Any supersingular A is isogenous to a product of supersingular ECs. Super special if Frobenius acts as 0 on H 1 ( A , O A ) . Any superspecial A is isomorphic to a product of supersingular ECs, • Superspecial = ⇒ supersingular . • Superspeciality is preserved by ( ℓ, . . . , ℓ ) -isogeny.
We have The superspecial set 5 For each g > 0 and prime p , we defjne � � / ∼ S g ( p ) := = . superspecial PPAVs over F p 2 # S g ( p ) = O ( p g ( g + 1 ) / 2 ) (with much more precise statements for g ≤ 3).
The superspecial graph d but commensurately so with the cryptosystems that it attacks. If the hypothesis fails, then our algorithm might be less effjcient, k where 6 g For primes ℓ ̸ = p , we let Γ g ( ℓ ; p ) be the ( ℓ, . . . , ℓ ) -isogeny graph on S g ( p ) . The graph Γ g ( ℓ ; p ) is connected and N g ( ℓ ) -regular, where � g � � · ℓ ( g − d + 1 2 ) N g ( ℓ ) := ℓ d = 0 � n � ℓ := ( n ) ℓ ··· ( n − k + 1 ) ℓ , where ( i ) ℓ := ℓ i − 1 ℓ − 1 counts the k -diml subspaces of F n ℓ . ( k ) ℓ ··· ( 1 ) ℓ Expander hypothesis : we assume Γ g ( ℓ ; p ) is Ramanujan.
Generalizing CGL to genus 2: Takashima Takashima’s hash works exactly like CGL, but but ends up stuck in the superspecial component) • supersingular genus-2 curves to represent the vertices (with the j -invariant becomes the Igusa–Clebsch invariants), and • Richelot’s formulæ to compute the isogeny steps 7 Takashima was the fjrst to generalize CGL to AVs of dimension g = 2. • S 1 ( p ) becomes S 2 ( p ) (Takashima wants to use the full supersingular graph, • Γ 1 ( 2 ; p ) becomes Γ 2 ( 2 ; p ) : i.e. 2-isogenies become ( 2 , 2 ) -isogenies, To compute the walks in Γ 2 ( 2 ; p ) , Takashima uses Note that Γ 1 ( 2 ; p ) is 15-regular, so the data to be hashed is coded in base ≤ 14!
Trivial 4-cycles in the genus-2 graph 0 1 2 2 , and so we get a cycle Flynn and Ti observe a serious issue with Takashima’s hash function: 1 8 It is easy to construct cycles of length 4 starting at any vertex of Γ 2 ( ℓ ; p ) . Take P ∈ A 0 [ ℓ 2 ] , Q , R ∈ A 0 [ ℓ ] s.t. e ℓ ([ ℓ ] P , R ) = e ℓ ([ ℓ ] P , Q ) = 1; form ( ℓ, ℓ ) -isogenies ϕ 0 : A 0 − → A 1 = A 0 / K 0 where K 0 := ⟨ [ ℓ ] P , Q ⟩ ϕ ′ → A ′ 1 = A 0 / K ′ where K ′ 0 : A 0 − 0 := ⟨ [ ℓ ] P , Q ⟩ where K 1 := ϕ 0 ( K ′ ϕ 1 : A 1 − → A 2 = A 1 / K 1 0 ) ϕ ′ → A ′ 2 = A 1 / K ′ where K ′ 1 := ϕ ′ 1 : A 1 − 0 ( K 0 ) 0 ) , so A 2 ∼ Now ker( ϕ 1 ◦ ϕ 0 ) = ker( ϕ ′ 1 ◦ ϕ ′ = A ′ ( ϕ ′ 0 ) † ( ϕ ′ 1 ) † ϕ 0 ϕ 1 → A 2 ∼ = A ′ → A ′ A 0 − → A 1 − − − → A 0 . = ⇒ in g > 1, non-backtracking is not strong enough to avoid hash collisions.
Generalizing CGL to genus 2: Castryck–Decru–Smith Castryck–Decru–S. (Nutmic 2019): an attempt to fjx Takashima. • New rule for isogeny walks to replace non-backtracking: Implementation: again, represent vertices with (Jacobians of) genus-2 curves, and compute edges using Richelot isogenies. 9 • Explicitly restriction to the superspecial graph Γ 2 ( 2 ; p ) for each ( 2 , 2 ) -isogeny ϕ i : A i → A i + 1 , we must choose one of the eight ( 2 , 2 ) -isogenies ϕ i + 1 : A i + 1 → A i + 2 such that ϕ i + 1 ◦ ϕ i is a ( 4 , 4 ) -isogeny.
The superspecial genus 2 graph 120 p 2 Bad news : from a cryptanalytic point of view, this is not rare enough . Being a proof of concept, CDS takes a simple solution: fail on elliptic products . 1 and 1 • Richelot’s formulæ break down when the codomain is an elliptic product 1 • Isomorphism invariants are incompatible Jacobians of genus-2 curves, and elliptic products . 10 Minor inconvenience : there are two types of PPAVs in dimension g = 2: Partition S 2 ( p ) into corresponding subsets, S 2 ( p ) J and S 2 ( p ) E ; then # S 2 ( p ) J = 2880 p 3 + # S 2 ( p ) E = 288 p 2 + O ( p ) . Justifjcation: a random A ∈ S 2 ( p ) has only a O ( 1 / p ) chance of being in S 2 ( p ) E .
The superspecial genus 2 graph 120 p 2 Bad news : from a cryptanalytic point of view, this is not rare enough . Being a proof of concept, CDS takes a simple solution: fail on elliptic products . 1 and 1 • Richelot’s formulæ break down when the codomain is an elliptic product 1 • Isomorphism invariants are incompatible Jacobians of genus-2 curves, and elliptic products . 10 Minor inconvenience : there are two types of PPAVs in dimension g = 2: Partition S 2 ( p ) into corresponding subsets, S 2 ( p ) J and S 2 ( p ) E ; then # S 2 ( p ) J = 2880 p 3 + # S 2 ( p ) E = 288 p 2 + O ( p ) . Justifjcation: a random A ∈ S 2 ( p ) has only a O ( 1 / p ) chance of being in S 2 ( p ) E .
Solving the isogeny problem in g > 1
Results Theorem (Costello–S., PQCrypto 2020) : This talk: the classical algorithm. Details: https://eprint.iacr.org/2019/1387 11 1. There exists a classical algorithm which solves isogeny problems in Γ g ( ℓ ; p ) with probability ≥ 1 / 2 g − 1 in expected time � O (( p g − 1 / P )) on P processors as p → ∞ (with ℓ fjxed). 2. There exists a quantum algorithm which solves isogeny problems in Γ g ( ℓ ; p ) � in expected time � O ( p g − 1 ) as p → ∞ (with ℓ fjxed).
12 Attacking the isogeny problem Recall : if we just view Γ g ( ℓ ; p ) as a generic N g ( ℓ ) -regular Ramanujan graph, then solving the path-fjnding problem would cost O ( p g ( g + 1 ) / 4 ) (classical) isogeny steps. � Key observation : in g = 2, we have # S 2 ( p ) E > # S 2 ( p ) J . This pattern continues in g > 2. We beat square-root algorithms by exploiting this special subset. Let’s look at the algorithm for g = 2 fjrst. Recursive application will give us g > 2 .
S 2 p E S 2 p E 2 in 13 in O p in O p steps. 2 1 2 1 It remains to compute a path p : total cost is O p P isogeny steps on P classical processors. (and ) after O p random walks of length we fjnd Expander hypothesis 2 1 2 1 Step 1 : Compute paths from our target PPASes into elliptic product vertices: The algorithm in g = 2 : Step 1 The algorithm in dimension g = 2 (attacking Takashima and Castryck–Decru–S.):
Step 1 : Compute paths from our target PPASes into elliptic product vertices: 13 The algorithm in g = 2 : Step 1 The algorithm in dimension g = 2 (attacking Takashima and Castryck–Decru–S.): ϕ : A → · · · → E 1 × E 2 ∈ S 2 ( p ) E ϕ ′ : A ′ → · · · → E ′ 1 × E ′ 2 ∈ S 2 ( p ) E ⇒ we fjnd ϕ (and ϕ ′ ) after O ( p ) random walks of length Expander hypothesis = in O (log p ) : total cost is � O ( p / P ) isogeny steps on P classical processors. 2 in Γ 2 ( ℓ ; p ) in � It remains to compute a path E 1 × E 2 → · · · → E ′ 1 × E ′ O ( p ) steps.
Recommend
More recommend