11email: jeremybooher@ufl.edu 22institutetext: Department of Computer Science, University of Bristol, Bristol, UK
22email: ross.bowden@bristol.ac.uk 33institutetext: Department of Computer and Software, McMaster University, Hamilton, Canada
33email: jake.doliskani@mcmaster.ca 44institutetext: LASEC, EPFL, Lausanne, Switzerland
44email: tako.fouotsa@epfl.ch 55institutetext: Department of Mathematics, The University of Auckland, Auckland, New Zealand
55email: s.galbraith@auckland.ac.nz,lukas.zobernig@gmail.com 66institutetext: Ruhr-Universität Bochum, Bochum, Germany
66email: sabrina.kunzweiler@ruhr-uni-bochum.de 77institutetext: Department of Computer Science, ETH Zurich, Switzerland
77email: research@simon-philipp.com 88institutetext: Laboratoire d’Informatique,
Université libre de Bruxelles, Bruxelles, Belgium
88email: christophe.f.petit@gmail.com 99institutetext: Inria and Laboratoire d’Informatique (LIX), CNRS, École polytechnique, Institut Polytechnique de Paris, Palaiseau, France
99email: smith@lix.polytechnique.fr 1010institutetext: Department of Mathematics, University of Colorado Boulder, Boulder, Colorado, USA
1010email: kstange@math.colorado.edu 1111institutetext: DSO, Singapore
1111email: yanbo.ti@gmail.com 1212institutetext: Department of Mathematics and Statistics, University of Vermont, Burlington, Vermont, USA
1212email: christelle.vincent@uvm.edu 1313institutetext: School of Mathematics and Statistics, University of Canterbury, Christchurch, New Zealand
1313email: felipe.voloch@canterbury.ac.nz 1414institutetext: University of Birmingham, Birmingham, UK
1414email: c.weitkaemper@pgr.bham.ac.uk
Failing to hash into supersingular isogeny graphs
Abstract
An important open problem in supersingular isogeny-based cryptography is to produce, without a trusted authority, concrete examples of “hard supersingular curves” that is, equations for supersingular curves for which computing the endomorphism ring is as difficult as it is for random supersingular curves. A related open problem is to produce a hash function to the vertices of the supersingular -isogeny graph which does not reveal the endomorphism ring, or a path to a curve of known endomorphism ring. Such a hash function would open up interesting cryptographic applications. In this paper, we document a number of (thus far) failed attempts to solve this problem, in the hope that we may spur further research, and shed light on the challenges and obstacles to this endeavour. The mathematical approaches contained in this article include: (i) iterative root-finding for the supersingular polynomial; (ii) gcd’s of specialized modular polynomials; (iii) using division polynomials to create small systems of equations; (iv) taking random walks in the isogeny graph of abelian surfaces, and applying Kummer surfaces; and (v) using quantum random walks. Keywords: isogeny-based cryptography, hashing, elliptic curves.
1 Introduction
Supersingular curves (and isogenies between them) have become a hot topic in cryptography over the last ten years or so. Fortunately the theory of complex multiplication provides efficient algorithms to generate a supersingular elliptic curve over , even for the astronomically large that are used for cryptographic applications (see Bröker [1]). It is also known how to uniformly sample a supersingular elliptic curve over : generate one curve using Bröker’s method and then take a sufficiently long random walk in the supersingular isogeny graph to get a curve .
There are several flavors of isogeny-based cryptography. One of the earliest proposals was the cryptographic hash function based on isogenies, by Charles, Goren and Lauter [2]. Another early proposal was to obtain a group action of the ideal class group on a set of elliptic curves. This was first proposed by Couveignes [3] and re-discovered by Rostovtsev and Stolbunov [4]. Class group actions were made practical with the CSIDH scheme by Castryck, Lange, Martindale, Panny and Renes [5]. Various digital signature schemes have been proposed [6, 7, 8, 9, 10, 11]. But the most studied isogeny-based cryptosystem of all is the key exchange protocol SIDH, by Jao and De Feo [12]. Public keys in the SIDH protocol include not only elliptic curves but also certain auxiliary points on these curves. The SIDH protocol has been a highly active area of research for over 10 years, but very recently major advances in cryptanalysis by Castryck and Decru [13], Maino and Martindale [14] and Robert [15] completely break SIDH, by exploiting the auxiliary points. It remains to be seen whether some variant of SIDH can be secure and practical. Note that the other areas of isogeny-based cryptography, such as CSIDH and the signature schemes, do not use auxiliary points and so are not affected by the attack. This paper was written before SIDH was broken, and we will refer to some results and papers that may not be relevant anymore. Nevertheless, the general problems considered in this paper are still relevant for isogeny cryptography and remain worthy of study.
One of the main computational problems in isogeny-based cryptography is to compute an isogeny between two given supersingular elliptic curves over the same finite field . This problem is called the supersingular isogeny problem or the path finding problem in the supersingular isogeny graph. It is believed to be hard, even for quantum computers. A related problem is the supersingular endomorphism ring problem: Given a supersingular elliptic curve over , compute its endomorphism ring (or even just one non-trivial endomorphism of ). The supersingular endomorphism ring problem and the supersingular isogeny problem are related [16, 17, 18].
The algorithm using complex multiplication sketched in the first paragraph for generating a uniformly distributed supersingular curve has the side-effect that the person who generated the curve also knows a path from to . In certain cryptographic applications this approach is not acceptable as it allows a user to insert a trapdoor or in some other way violate the desired security. There are a number of papers that have already mentioned this problem [19, 20, 21, 22, 23]. Currently the only solution known is to involve some “trusted party” to generate a random curve and then “forget” any resulting secret information. See [24] for trusted-setup solutions. There is great interest in finding better ways to solve this problem that do not require trusting a single party. Among other applications, it would circumvent the trusted setup in an isogeny-based verifiable delay function [22], in delay encryption [25] and in an SIDH-based oblivious pseudorandom function [26]. For the latter, the necessity of the trusted setup was pointed out by [27]. Before SIDH was broken, using a starting curve that is generated uniformly at random would prevent torsion point attacks [28, 29, 30].
Applications of hashing to hard supersingular curves might include hash-and-sign signatures, oblivious pseudorandom functions [26] and password-authenticated key exchange [31].
There are (at least) three general problems that are of interest for isogeny-based cryptography:
-
1.
Given a prime , to compute a supersingular curve over without revealing anything about the endomorphism ring or providing any information to help solve the isogeny problem (for isogenies from to some other supersingular curve over ). This is the problem of demonstrating a hard curve [19].
-
2.
Given a prime , to generate uniformly random supersingular curves over without revealing anything about the endomorphism ring or providing any information to help solve the isogeny problem to other supersingular curves over .
-
3.
Defining a hash function to the entire supersingular graph. To produce a hash function taking arbitrary strings as input, and outputting supersingular -invariants. The hard problems in this context include both pre-image finding and collision-finding for the hash function, and path finding and endomorphism ring computation for the output curve. We ask for these problems to remain hard on curves produced by the hash function.
There are also variants of these problems that involve sampling from (resp. mapping to) subsets of the set of supersingular curves. The most significant is defining a hash function just to the subgraph.
The two obvious approaches to these problems are to use tools from the theory of complex multiplication and/or random walks. However neither method is secure for our problems. The insecurity of methods based on random walks is self-evident. The insecurity of methods based on CM is less clear, and was demonstrated by Castryck, Panny and Vercauteren [20] and Love and Boneh [19]. We refer to Section 2 for details.
Castryck–Panny–Vercauteren [20] and Wesolowski [32] have considered the analogous approach in the special case of sampling supersingular curves with -invariant in using CM theory. Again they show that any such approach is not secure (they show how to solve the class group action problem in subexponential and polynomial time respectively).
Hence we need new ideas. The goal of the paper is to explain some possible approaches and to discuss the obstructions to getting a practical solution.
In all cases we are interested in an efficient algorithm that takes as input , can be executed without any secret information, and that outputs (the -invariant of) a supersingular elliptic curve over . We do not want the algorithm to provide any additional information that would be useful to the person who executes it. For the problem of generating a single hard curve (e.g., to bypass the requirement for trusted set up), the meaning of “efficient” might be relaxed, as long as it is feasible in applications.
As already mentioned, it would already be interesting to have an algorithm that returns a single curve. But the most desirable outcome is a cryptographic hash function that takes a binary string and returns a supersingular -invariant and satisfies these properties:
-
1.
It is efficient and deterministic.
-
2.
It is hard to find a collision, namely two binary strings and such that .
-
3.
It is hard to invert, namely given an in the codomain it is hard to compute a binary string such that .
-
4.
The -invariants are uniformly distributed in the codomain.
Note that one can build an algorithm for hashing to the supersingular set by combining a standard cryptographic hash function (e.g., SHA-3) with a randomised algorithm to generate a supersingular curve (as in problem 2 listed above). To do this, simply compute and use it as the seed to a pseudorandom generator and then run the algorithm to generate a supersingular curve replacing all calls to randomness with this pseudorandom sequence. Hence, it suffices to focus on problems 1 and 2 above.
Several of the approaches in our paper try to bypass the problem of working with polynomials of exponentially-large degree. Section 3 sketches an approach motivated by iterated methods for root-finding (such as the Newton-Raphson method). However the main idea in this section is to avoid writing down the polynomial by indirectly computing its evaluation at a given point. This motivates a study of iterative methods in this special case. Similarly, Section 4 studies an approach based on modular curves and the fact that one can compute the roots in of the greatest common divisor of two polynomials and in polynomial time in certain circumstances, even though the polynomials themselves have exponential degree. This approach does not lead to a useful solution at present, as the computation only produces curves that could feasibly have been computed using the CM method. Section 5 also attempts to control the growth of polynomials, by giving a system of low-degree polynomials whose common solution would give a desired curve.
Other methods try to use random walks in new ways. Section 6 suggests walking on the isogeny graph of abelian surfaces, until one lands on a reducible surface. The challenge faced by this method is that reducible surfaces are exponentially rare in the isogeny graph and we lack techniques to navigate to one from an arbitrary position in the graph. Finally, Section 7 suggests a way to use a quantum analog of the CGL hash to generate a random supersingular curve. The way a quantum algorithm uses randomness means this cannot be combined with a standard cryptographic hash function as described above. If properly implemented on a quantum computer, the algorithm makes the path information inaccessible to the user. But without a method to certify the use of the quantum algorithm, this approach only replaces the need for a trusted entity from one who will erase the path data to one who will promise to use a quantum computer.
Between release and revisions for this work, the concurrent work [33], which also proposes some approaches to the hashing problem, was made public. In particular, the papers appear to overlap in suggesting a system of equations based on torsion point restrictions (compare Section 5.1 and [33, Section 6.3]).
We hope the ideas and analysis in our paper will be useful to researchers. We identify a number of obstructions to efficient hashing to supersingular curves. We hope that future research might overcome one of these obstructions.
Funding
This work was supported by the Marsden Fund Council administered by the Royal Society of New Zealand [to J.B.]; Natural Sciences and Engineering Research Council of Canada (NSERC) [to J.D.]; Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) under Germany’s Excellence Strategy [EXC 2092 CASA - 390781972 to S.K.]; Engineering & Physical Sciences Research Council [EP/P009301/1 to S.-P.M., EP/S01361X/1 and EP/V011324/1 to C.P., EP/T517872/1 to R.B.]; l’Agence nationale de la recherche (ANR) [program CIAO (ANR-19-CE48-0008) and a Plan France 2030 grant (ANR-22-PETQ-0008 PQ-TLS) to B.S.]; National Science Foundation [NSF-CAREER CNS-1652238 to K.S., DMS-1802323 to C.V.]; Simons Foundation [Fellowship 822143 to K.S.]; Ministry of Business, Innovation and Employment and the Marsden Fund Council administered by the Royal Society of New Zealand [to J.F.V., to S.G.].
Data availability statement
No data available.
Acknowledgements
This project was initiated as part of the Banff International Research Station (BIRS) Workshop 21w5229, Supersingular Isogeny Graphs in Cryptography. The project owes a debt of gratitude to BIRS and to the organizers of that workshop: Victoria de Quehen, Kristin Lauter, Chloe Martindale, and Christophe Petit. The project was led by Steven Galbraith, Christophe Petit, Yan Bo Ti, and Katherine E. Stange. We would also like to thank Chloe Martindale for useful discussions, Annamaria Iezzi for her involvement in Section 4, as well as Wouter Castryck and Eyal Goren for contributing ideas to Section 6.
2 Existing methods
We briefly review the existing methods of generating supersingular curves. Neither is secure in the sense of the introduction. Nevertheless, these two paradigms form the basis of the methods proposed in this work, which fall broadly into methods based on random walks, and methods based on finding roots to high degree polynomials (or systems of such).
The Charles-Goren-Lauter hash function [2] hashes into the supersingular curves over . At each vertex of the supersingular isogeny graph, the out-directed edges are labelled in some fixed deterministic manner. Starting from a known curve such as , the bitstring to be hashed is interpreted as directions for a walk through the graph, via the labelling just mentioned. If the walk is sufficiently long, it is known from the properties of the graph (it is Ramanujan) that the endpoint will be uniformly randomly chosen from amongst all the vertices of the graph [2]. However, the walk itself is a path to and therefore the path-finding problem from the endpoint is trivial, unless this information is discarded by a trusted authority.
The CM method of Bröker [1] finds supersingular roots of a Hilbert class polynomial. The Hilbert class polynomial for a quadratic order modulo is a polynomial in whose roots in are the -invariants of elliptic curves whose endomorphism rings contain a copy of . In order to apply known root-finding algorithms, or indeed, to obtain the polynomial at all, the degree of must be small. This implies that itself has non-integral elements of small norm. The images of such elements in the endomorphism ring are termed small endomorphisms, and so all the curves obtained have small endomorphisms. At the very least, it follows that the curves obtained are far from uniformly distributed. Furthermore, having a small endomorphism is known to be a serious vulnerability [19, 20]. Precisely, Castryck, Panny and Vercauteren [20] study the CSIDH case and show how to efficiently compute an ideal class as required to break CSIDH when given a small degree endomorphism. Love and Boneh [19] consider the more general case, such as arises in SIDH, and also show a general and efficient approach to computing isogenies between any two such curves in this setting. In general, anything which reveals the endomorphism ring will be a vulnerability [18].
3 Iterating to supersingular -invariants
In this section, we propose a method for generating a hard curve. For a prime number , define the polynomial , known as the Hasse polynomial or supersingular polynomial, by
(1) |
Proposition 1
Let denote the elliptic curve whose Legendre form is . Then for
Similarly for
Proof
This follows from the proof of [34, Theorem V.4.1(b)]. ∎
Thus is a root of if and only if is a supersingular elliptic curve. It is known that all the roots belong to and that, for , we have that of them belong to . None belong to when . This follows since the number of supersingular curves over is by combining [35] and [36, Eq (1)] and such a curve can be put in Legendre form if and only if all of its -torsion is rational, which is only possible when .
The basic idea is to compute a random root of the polynomial, thus giving a random supersingular elliptic curve. At first glance this seems impractical, as representing the polynomial takes exponential space, and computing would take exponential time. However, we can compute for in polynomial time using Schoof’s algorithm to compute . For , we can similarly compute by computing . It is unclear whether there is a fast way to compute for .
3.1 Iterating to a root
One approach to finding a root of is to iterate a polynomial function over a finite field as inspired by the Newton-Raphson method. Recall that the Newton-Raphson method finds a root of a polynomial by first picking a point on the domain and iteratively computing
(2) |
(while ). If a fixed point is found, then we can conclude that and that we have found a root.
In this vein, our “preliminary” idea is to find the roots using the same method. So one picks some (or ), and then defines
(3) |
(assuming ). It is clear that if , we must have that , and we have found a supersingular elliptic curve. Furthermore, this method could allow us to define a hash function into supersingular curves, by using the hash input to determine and then iterating (3).
However, there are three issues with this idea:
-
1.
The algorithm may not halt at a fixed point (the iteration may become stuck in a cycle).
-
2.
The algorithm may reach a fixed point, but require too many iterations to efficiently compute.
-
3.
We do not know how to compute efficiently, or compute efficiently for .
To eliminate the third obstacle, we can consider the following alternatives to the Newton-Raphson method which share the key property that fixed points of the iteration correspond to roots of :
(4) | ||||
(5) |
The denominator in the previous attempt speeds up convergence to a root in a field with a metric, if we are already close to a root. In a finite field with the discrete topology there is no reason to include the denominator, and removing the denominator also removes the possibility the iteration is undefined. Using Schoof’s algorithm we may efficiently iterate (4) over (which is only of interest when has roots over , i.e. ), while we may efficiently iterate (5) over .
The first two obstacles are thornier to tackle: there are plenty of choices of where iteration leads to a cycle and not a fixed point, and paths to a fixed point can be very long. These are fundamental obstructions which we will discuss experimentally and compare to the behavior of random mappings.
3.2 Does Iteration Mimic Iteration of a Random Function
In terms of understanding whether these iterative methods are useful for finding supersingular elliptic curves, the important quantities to understand for the iteration are:
-
1.
the number of fixed points;
-
2.
the number of points which eventually reach a fixed point upon iteration;
-
3.
for these points, the maximum number of iterations needed to reach the fixed point; and
-
4.
the number of points which reach a fixed point after iterations.
We will be mainly interested in understanding to what extent these iterative methods look like iterating a random function (which we can understand theoretically).
Consider a random function from a set of size to itself. In other words, the image of each element of is chosen independently and uniformly at random from . The expected number of fixed points for a random function is one, and given our knowledge about iterating random functions we would not expect iteration to quickly close in on the fixed point. However, the function we are iterating has many fixed points, and it is not a priori clear how iteration will behave.
Heuristic 2
We will experimentally explore the behavior of the iterative methods in this subsection, and theoretically study the behavior of iterating random functions with many fixed points in Section 3.3.
Experimentally, it appears that “many” points eventually reach a fixed point after iteration, which means that our iterative methods have a reasonable chance of finding a supersingular curve. However, the maximum number of iterations needed seems to be on the order of , which is too long to be practical. This is in line with the expected “tail length” of a random mapping [37, Theorem 8.4.8]. (Section 8.4 of loc. cit. contains a survey of the properties of random mappings.) Finally, the number of points which reach one of the fixed points after iterations appears to be on the order of , at least when is small relative to . This matches the conclusions of our analysis of random functions with many fixed points in Section 3.3.
While we provide examples of all the iterative methods, we have focused on iteration (4) over when as it is efficiently computable and well-motivated by analogy with the Newton-Raphson method. The behavior we are seeing does not seem sensitive to the exact iterative method used.
Example 1
When using the original Newton iteration (3), many points eventually reach a fixed point upon iteration. For example, when the polynomial has roots all defined over . If one iterates using (3), of the elements of eventually end up at a fixed point (about three percent). In those cases it took at most iterations to reach a fixed point. Similarly, when around twenty eight percent ( out of of the elements) eventually reach a fixed point. The maximum number of iterations needed was . When , out of randomly chosen elements of eventually reached a fixed point.
Example 2
The behavior when iterating using (4) over is broadly similar; removing division by does not seem to have a significant effect. For example when , of randomly chosen elements of ended in a fixed point. More systematically, if we look at all primes between and and compute the percentage of elements of which eventually reach a fixed point, the minimum and maximum percentages are about percent and percent. The mean is about percent. There are often quite long paths which eventually lead to a fixed point.
Example 3
Iterating using (4) over is only interesting when there are fixed points defined over , i.e. when . It appears broadly similar to the previous iterations considered. The number of fixed points is . Experimentally it looks like a sizeable fraction of the points of eventually reach a fixed point, and that for small the number of points which reach a fixed point after iterations is about times the number of fixed points (so on the order of ). The largest number of iterations needed to reach a fixed point appears to be on the order of .
To quantify this, we computed the minimum and maximum values for:
-
•
the number of fixed points divided by , denoted ;
-
•
the number of elements of iterating to a fixed point, divided by , denoted ;
-
•
the largest number of iterations needed to reach a fixed point divided by , denoted .
Table 1 shows the minimum and maximum values of these values for primes in several ranges.
in Range: | ||||||
---|---|---|---|---|---|---|
to | ||||||
to | ||||||
to |
Example 4
Iterating using (5) over preserves the cosets of in . At first glance, it looks like for most cosets the map behaves like a random map: each coset has very few fixed points and about points in each coset lead to the fixed points.
Example 5
For a hundred randomly chosen function with fixed points:
-
•
the number of elements iterating to a fixed point ranged from to ( to ), with a mean of ().
-
•
the maximum number of iterations needed to reach a fixed point ranged from to , with a mean of .
-
•
The number of elements within iterations of a fixed point ranged from to , with a mean of .
This is broadly in line with the behavior seen in the previous examples, so experimentally it seems reasonable that iterating (3) (4) or (5) behaves like iterating a random function, supporting Heuristic 2.
Based on this behavior, using iteration to efficiently find a supersingular elliptic curve (or to hash to a supersingular elliptic curve) does not seem to be practical. For concreteness, we will focus on iterating (4) over when . The basic idea would be to pick a random starting element and iterate times, hoping to find a fixed point. Thus the key property of the iteration to understand is the number of points which iterate to a fixed point in steps. We expect on the order of points with this property, both based on experiments and based on Heuristic 2 plus the analysis in Section 3.3.
Proposition 3
Assuming Heuristic 2, iterating times over will find a fixed point (and hence a supersingular elliptic curve) with probability on the order of . This requires evaluations of . In particular, iteration would not give an efficient method of finding supersingular -invariants.
Proof
There are on the order of elements of which iterate to a fixed point within steps. To check whether the last element is fixed requires one additional evaluation of . The chance of randomly choosing to start at one of these elements is on the order of .
While we can evaluate efficiently using Schoof’s algorithm, to be efficient the number of evaluations must still be polynomial in . In that case the probability of finding a supersingular curve would be exponentially small in . ∎
Remark 1
The probability of a random curve being supersingular is on the order of . We can check whether a randomly chosen -invariant is supersingular by evaluating . Checking random curves would require evaluations of , and again would find a supersingular -invariant in with probability on the order of . In particular, the iterative method is no better than randomly guessing and neither approach can efficiently find a supersingular -invariant.
Remark 2
For the iterative method to offer an improvement, we would need a way to make a “giant step” and efficiently iterate multiple times at once. For example, given the th iteration we would like to be able to efficiently compute the th iteration. We do not know if this is possible.
Remark 3
This iterative method would not produce supersingular curves uniformly at random. Taking , when iterating (4) there are fixed points which no other elements of reach upon iteration but there is also a fixed points that other elements of reach upon iteration.
3.3 Random functions with fixed points
We use the functional graph perspective on random mappings and the asymptotic analysis developed in Flajolet and Odlyzko [38] to analyze functions with many fixed points. For a function , the vertices are and there is a directed edge from to if . A function on elements with fixed points is represented by:
-
•
A functional graph, consisting of rooted trees (one for each fixed point) plus a set of components without fixed points;
-
•
Each component without fixed points is a collection of (at least two) trees where the roots are permuted cyclically;
-
•
Each rooted tree is a node (the root) together with a possibly empty set of rooted trees that are the children.
Note that all of these objects are labeled.
As in [38], there is a standard method to give relationships between exponential generating functions for these objects. Let be the exponential generating function for random mappings with exactly fixed points. This means that
where is the number of such functions with total elements. Equivalently, it is the sum of over all functions with fixed points. Likewise let and be the exponential generating functions for components and trees, and let be the exponential generating function for fixed-point-free components.
Lemma 1
We have the following relationships:
(6) | ||||
(7) | ||||
(8) |
Proof
The first is a consequence of the fact that a function with fixed points consists of rooted trees plus a set of components with no fixed points. It is standard that
as a connected component based on a cycle of length is built out of trees and one can cyclically permute them. Therefore we see that
The third is standard, a consequence of the fact that a tree is a node plus a set of trees. ∎
We can use asymptotic analysis to compute the number of random functions with fixed points. Flajolet and Odlyzko [38, Proposition 1] give an asymptotic expansion
of around its singularity at . We can rewrite in terms of as
using that . We have that , so the leading term in the asymptotic expansion of is
Using [38, Theorem 1] gives the asymptotic
(9) |
For example, taking gives the asymptotic for . In comparison, Flajolet and Odlyzko’s asymptotic analysis gave the known fact (letting denote the number of functions on elements) that . As expected, this implies that about of randomly chosen functions do not have a fixed point.
Remark 4
Note that if is fixed as , the precise value of has no effect on the asymptotics of .
We will now modify our generating functions to take into account the number of elements which reach a fixed point after iterations of a random function. The key case is for trees, where we consider the exponential generating function where the coefficient of is the number of rooted trees of size with nodes that are distance at most from the root, divided by .
Lemma 2
We have that , that , and that .
Proof
The first equality reflects that each tree has exactly one node at distance from the root. The second comes from the fact that a rooted tree is a root plus a collection of child trees, and a node has distance at most from the root if it either is the root or has distance at most from the root of one of the child trees. The third equality is clear. ∎
We likewise modify to become a bi-variate exponential generating function which counts nodes with distance at most to one of the fixed points. It satisfies
Lemma 3
The exponential generating function for the sum of the number of elements which reach a fixed point after iterations for functions with fixed points is
Proof
This follows from viewing the bi-variate exponential generating function as a sum over all functions with fixed points. ∎
Proposition 4
For fixed and , the number of elements which reach a fixed point after iterations for a random function on elements with fixed points is asymptotically as .
Proof
Remark 5
These results require that and be fixed as grows. When analyzing iterating to supersingular -invariants, this assumption does not hold: if there are -invariants then on the order of of them are supersingular. A more careful analysis should give that the asymptotic of Proposition 4 continues to hold as long as and grow “slowly” compared to . Given the conclusion that iteration is not helpful for finding supersingular -invariants, we do not pursue this.
In light of this analysis of functions with many fixed points, the iterative methods investigated in Section 3.2 behave exactly like random functions with the correct number of fixed points.
4 Modular polynomials and curves isogenous to their conjugates
4.1 Overview
As described in the introduction and Section 2, Bröker’s method is limited by the degree of the Hilbert polynomials, upon which the runtime depends. However, taking small-degree Hilbert polynomials leads to curves with small endomorphisms (a vulnerability). In this section, we consider using polynomials whose roots correspond to curves with endomorphisms of exponentially large degree. The hope is, at least, to demonstrate a hard curve. The process we will describe does not, naïvely, appear likely to generate curves in a uniformly random manner, although perhaps it can be adapated.
If is a positive integer coprime to , then the classical modular polynomial is defined as follows. For any elliptic curve , let . There are elements of , where is the Dedekind psi function (recall that for prime, and is multiplicative; in particular, ). Write for the codomain of a separable -isogeny from with kernel . Then
In other words, if and only if and are -invariants related by a cyclic -isogeny. This remains the case over any field. (See [39, Chapter 5] for background.)
Now, consider the roots in of the univariate polynomial . These roots are the -invariants of curves with cyclic -isogenies to their conjugates (with root multiplicities equal to the number of distinct -isogeny kernels). Let be such a root and let over be an elliptic curve with . Denote by the Galois conjugate with respect to . One can compose the cyclic isogeny with the inseparable Frobenius map . When , which is the general case, then [40, Proposition 2] shows that (possibly by taking a quadratic twist) we obtain an isogeny that satisfies . An alternative explanation for this is given in the proof of [2, Lemma 6], where it is shown that if is small compared to and is supersingular then . Either way, it follows that the class group is of acts on a large subset of the supersingular roots of .
There is no particular reason why these curves should also have small-degree non-integer endomorphisms.
The collection of supersingular curves with an -isogeny to the conjugate has been studied [41, 42, 40], and plays a role in the security of the path-finding problem [43]. Since the class group of acts on (a large subset of) this set, these curves form CSIDH-like graphs which could be used for cryptographic purposes [40]. Thus, a construction for random supersingular curves involving may lead to a means of sampling from these CSIDH-like graphs. As in the CSIDH setting, there are subexponential quantum algorithms to solve the vectorization or class group action problem (see [44, Section 9.1], [40] and [32]). Thus, if there is a curve of known endomorphism ring in this set (see for example [45]), one may be able to solve the fundamental isogeny problems (path-finding and endomorphism ring computation) in quantum subexponential time. This is still far from polynomial and may be considered secure for some applications.
For , the polynomial has degree , which is exponential with respect to . While this polynomial is quite sparse, especially when , we cannot compute its roots efficiently. The idea is to reduce that degree, and make computations manageable, by instead computing roots of the factor(s)
for some auxiliary , without explicitly computing or .
The proposed approach for constructing supersingular curves is then:
-
1.
Choose and .
-
2.
Compute one or more roots of in . There are of these roots, and we can compute them in polynomial time with respect to , , and (see §4.2).
- 3.
This method produces curves known to have endomorphisms of degree and . Since we wish to avoid endomorphisms of small degree, the presence of the degree- endomorphism means that we should take at least one of and to be exponentially large. Nevertheless, it is plausible that the information about the endomorphism leaked from the process of construction is not enough to allow us to compute efficiently (i.e., in polynomial time).
4.2 Computing roots of
We want to compute roots of in . Note that simply computing and in , computing their , and finding its roots is exponential in , because and ; these polynomials are sparse for large , but generic computations (which are quasilinear in the maximum of the degrees of the inputs [47]) cannot take advantage of this.
Algorithm 1 computes all of the -roots111Algorithm 1 ignores root multiplicities, but can be easily modified to take them into account if required. of in polynomial time with respect to , , and . The key to its polynomial runtime in is that the polynomials and constructed in Lines 1 and 1 satisfy (by definition)
for all in , and it is much easier to solve the bivariate system than it is to compute when is large.
As has already been noted, for security in applications, at least one of and must be exponentially large. But if (or ) is super-polynomially large with respect to , then Algorithm 1 requires super-polynomial time and space, since it must work explicitly with the polynomials . Hence a natural question is whether we can do better than Algorithm 1 when one (or both) of and is large. This is an open question. If is small and is very large then a “dream” approach would be to compute using the classical algorithm and then somehow compute directly by some form of “square-and-multiply” approach without explicitly computing .
4.3 Supersingular roots of
Now we consider the question of how many of the roots of might be supersingular -invariants. The individual polynomials should be expected to have overwhelmingly ordinary roots, but there are some heuristic reasons to expect to have a higher proportion of supersingular roots and we give some evidence for this in Section 4.4.
A heuristic lower bound on the number of supersingular roots of can be obtained as follows. There are supersingular curves over , and of them have an -isogeny to their conjugate (combining [40, Theorem 2] and heuristic average class group estimates). Hence, we can postulate that a “random” supersingular curve has probability of having an -isogeny to its conjugate. Applying this to the supersingular curves that are roots of , we conclude that there should be supersingular roots of .
To summarize, if we expect that the properties of having an -isogeny and having an -isogeny to the conjugate are in an appropriate sense “independent,” then one might expect the supersingular portion of to have degree . Note that the resultant in line 5 of Algorithm 1 has degree , so there are roots of in (to see this, apply Bézout’s theorem to the polynomials and in Algorithm 1).
Given the degree estimate just described, one might consider taking the gcd of three different modular polynomials. This will almost certainly have a smaller degree: continuing the heuristic argument above would lead to supersingular roots for the gcd of , and . With such an estimate, one might consider taking and polynomial in . One might expect the 3-way gcd to have supersingular roots, provided it is not , by the same heuristics as above.
Remark 6
If has an -isogeny and an -isogeny to its conjugate , then it also has an -endomorphism to itself. When is inert in , some such will be reductions modulo of curves over with CM by , specifically those where the reduction of the -endomorphism factors through the conjugate. In this case, we can expect a nontrivial gcd between and the Hilbert class polynomial for .
Remark 7
If one desired uniformly randomly generated supersingular curves, one might consider using randomly generated and of a certain size. It is unclear what distribution of and would lead to a uniformly random distribution of supersingular curves, if any.
4.4 Experimental evidence
data set | points | avg. | avg. |
---|---|---|---|
all | 7046 | 0.9362 | 0.6251 |
coprime | 4286 | 0.9189 | 0.6555 |
not coprime | 2760 | 0.9632 | 0.5779 |
3572 | 0.9424 | 0.6373 | |
3474 | 0.9300 | 0.6126 |
To test the heuristics of the previous section, the polynomials were computed for a fixed prime with pairs ranging over , . Figure 3 shows the degree of the part of the polynomial as compared with . Figure 4 shows the proportion of supersingular roots. Table 2 gives the average values of these quantities for various subsets of the data, including where is coprime or not, and where is inert or split in . Figure 5 gives a sense of how the number of roots of varies in an intricate manner as a function of and for fixed .
In addition, the polynomials were computed for various fixed pairs with ranging over all primes less than with . Figure 6 shows the degrees of and with respect to .
In general, the data seems to support the following patterns: (i) the degrees of the parts of may be similar to or slightly less than , (ii) the proportion of supersingular roots among roots is often high, (iii) there is variation in the ratio of supersingular roots with and , with slightly higher proportions found amongst and not coprime, and (iv) as varies, the degree of is relatively constant, but is dependent upon the coprimality, not just size, of and .
To conclude, supersingular -invariants seem to be a large proportion of the roots of . Hence, if there were an efficient way to compute these roots for a wide range of values then this might give a solution to the problem of hashing to a supersingular curve.
5 Constructing supersingular curves using constraints on their torsion
A supersingular curve is characterized by the number of points over any extension. Provided a curve, Schoof’s algorithm [49] computes the trace. When hashing into supersingular graphs, we know the trace and we want to find a curve. Thus, one may try to use Schoof’s algorithm “backwards,” by setting up a system of equations restricting the trace (or, more directly, the field of definition of torsion points), and looking for solutions. This method may lead to a way to generate supersingular curves uniformly randomly, since some such systems have all supersingular curves as roots.
5.1 A system of equations
To introduce the approach, let us first discuss the case when is a prime of the form , where are small distinct odd primes. For such , the approach could proceed as follows. Let be some parameter for the curve, like the -invariant or the Montgomery coefficient. For every , write for the division polynomial of order of the curve parameterized by . These polynomials can be efficiently computed. Consider the system
(10) |
with variables and . The equations of this system force the -torsion points of the curve with parameter to be defined over for all . Therefore the torsion is also defined over , which implies that any curve with parameter being a solution of (10) is supersingular. Taking the resultant of all polynomials in the system with respect to all variables but gives a polynomial whose roots are all parameters that correspond to supersingular curves.
More generally when is not smooth, one can fix a set of small primes or prime powers such that their product is above the Hasse bound, and replace the equations in (10) by alternative equations forcing the endomorphisms
where denotes the Frobenius endomorphism, on the curve with parameter to act trivially on the torsion.
For primes of the form where are small integers (as used in the SIDH key exchange [12]) one can replace a single equation in (10) by a polynomial system in the variables and
(11) |
where are “-only” multiplication-by- polynomials on the curve of parameter . For any solution to this system, is the -coordinate of a point of order on the curve with parameter . Note that the equations are of degree roughly and is of degree .
As with other approaches involving large polynomial systems or large degree equations, the cost and optimal strategy to solve these systems are not obvious. We observe that the polynomial system (11) contains equations in variables of degree roughly and together with the equation translating the fact that the torsion points lie in of degree . Yet, compared to generic polynomial systems of the same degree and with an equal number of variables, the given polynomial systems have only a few mixed monomial terms. Further, they exhibit a certain block structure. Instead of using generic algorithms such as Gröbner basis computations, taking the full monomial structure into account might help to solve the polynomial systems faster. This might be feasible using algorithms such as Rojas’ algorithm for sparse polynomial systems [50]. However, further research is needed to draw conclusions about the concrete speedup that can be achieved using this additional structure and to assess the cost of solving the polynomial systems given in this section.
5.2 Variants
5.2.1 Reducing the number of solutions:
Instead of computing a random solution to the polynomial systems described in the previous section and thus a random curve with the correct number of points, some applications require computing only one curve with unknown endomorphism ring. To achieve this, one could add additional equations to the systems (11) to reduce the number of expected solutions – potentially all the way to 1, when solving the system would mean to select a single curve.
One approach could be to restrict the -coordinate of torsion points to random cosets of multiplicative subgroups, namely replacing for some by
for suitable dividing , and random in . This will decrease the degrees of equations in the system, as well as the number of solutions. If one does not restrict the field equations for all , one may want to choose some uniformly at random.
Assuming that the solutions to the system (11) are “randomly” distributed among all cosets of the multiplicative subgroup, the expected number of solutions to the system is reduced by the number of such cosets. If one of the remaining solutions is chosen uniformly at random and if the cosets for different were chosen uniformly at random, then the supersingular elliptic curve corresponding to the final solution is a random supersingular elliptic curve. One could consider various versions of this, leaving more or fewer solutions.
5.2.2 Hybrid version:
Another variant is to drop some equations in the polynomial system (11). The resulting system has then more solutions. Each solution to the resulting system leads to a curve with a number of points with trace not fixed modulo the Hasse bound. That is, the curve generated might be of order different from the order we would like to find. Hereby, the number of equations dropped from the system (11) controls the size of . Thus, to compute a supersingular elliptic curve one may want to proceed as follows. One generates a system with fewer equations and keeps computing random solutions until the resulting curve has the correct order. We leave it for future research to examine how much easier it is to solve the resulting systems compared to (11).
6 Genus 2 Walks
In this section, we explore several approaches to sample a uniformly random supersingular elliptic curve based on the following general idea: start with a known supersingular elliptic curve , glue it to itself to construct a genus-2 Jacobian explicitly isogenous to , and then connect with a new random-looking elliptic product using Richelot isogenies, or through geometric inspection of the Jacobian (via its Kummer surface). One might hope that these genus-2 operations will “hide” obvious isogenies between the elliptic curves involved, but we will explain a number of issues with this approach at the end of Section 6.1.
Let be a principally polarised abelian surface (PPAS) over a finite field of characteristic . The correct generalisation of the notion of supersingularity to genus 2 is to say that is supersingular if and only if the Newton polygon of its Weil polynomial has all its slopes equal to ; this is the case if and only if the -torsion is isomorphic (as a group scheme) to either or , where is the -torsion group scheme of a supersingular elliptic curve (see Pries [51] for further detail). In the latter case, we say is principally polarized superspecial abelian surface (PPSSAS).
Every PPAS is isomorphic (as a principally polarized abelian variety) to either the Jacobian of some genus-2 curve , or the product of two elliptic curves (which are both supersingular if is superspecial). Oort [52] has shown that every superspecial abelian surface is isomorphic as an unpolarized abelian variety to a product of supersingular elliptic curves, and that every supersingular abelian surface is at least isogenous to a product of supersingular elliptic curves (if the abelian surface is supersingular but not superspecial, then the isogeny is inseparable).
We can construct a superspecial Jacobian isogenous to a product of supersingular elliptic curves and by gluing them along their -torsion, say. This corresponds to a Richelot isogeny [53] , where is the graph of an isomorphism of group schemes that is an anti-isometry with respect to the -Weil pairing (see [54]); the resulting is always a Jacobian. (We can also glue along the -torsion for , and there is an analogous inseparable construction in [52] for gluing along the -divisible group schemes , but the case is sufficient to illustrate our ideas. There is no reason to suspect that or will give better results. The case also has the advantage of being completely explicit.)
6.1 Random Walks
Our first idea is simple: We begin with a supersingular elliptic curve and glue it to itself which induces an isogeny to an abelian surface. We then take a random walk on the isogeny graph of abelian surfaces. Finally, we find the closest reducible surface and return one of its supersingular elliptic factors. The idea can be summarised in the following diagram:
The initial is superspecial, and so superspeciality is preserved so long as the isogenies in the random walk are of degree prime to the characteristic. This means that we are walking in the superspecial graph.
A similar situation occurs in [55], where the authors consider the supersingular isogeny problem in genus 2 and higher. We will only sketch the outline of their arguments and will refer interested readers to find details in their paper: In genus 2, given two superspecial abelian surfaces and , the idea is to reduce the problem of finding an isogeny to the problem of finding a factored isogeny and (un)gluings and . Finding the isogenies and is essentially done by taking random walks of length . Such a walk encounters a product of elliptic curves with probability , so after many random walks we should have found the required and . (The heuristics of [55] are made more rigorous in [56].)
Translating this to our setting, we see that random walks away from a fixed superspecial abelian surface have no better expected runtime at encountering a supersingular elliptic curve than simply searching for one directly by randomly sampling -invariants and testing if they correspond to supersingular elliptic curves.
Ultimately, for this approach to give any advantage over simply taking a random walk in the elliptic supersingular graph, we need the genus-2 walk to “hide” information about the relative endomorphism rings of the starting and ending elliptic factors. But as noted in [57, Section 2], by fixing a supersingular elliptic curve over a finite field it is possible to parametrise the space of PPSSASs by positive-definite hermitian matrices which are elements of the matrix algebra , where is the definite quaternion algebra that is ramified exactly at and . Furthermore, isogenies between PPSSASs can be represented by conjugation by matrices in the same matrix algebra. Thus, knowledge of the random walk in the genus-2 graph may allow the construction of a matrix in that can be used to construct a path between our base and final supersingular elliptic curves.
Lastly, knowledge of the genus-2 walk may allow for the adversary to compute the endomorphism ring of the target surface, by computing the matrix that corresponds to the isogeny walk. The endomorphism ring of an elliptic product contains the endomorphism ring of each factor as a direct summand, so this information should allow an adversary to compute the endomorphism ring of the resulting (supersingular) elliptic curve.
6.2 Constructing curves on the Kummer surface
We saw above that random walks in the superspecial genus-2 graph give no real advantage over random walks in the elliptic supersingular graph when constructing new supersingular elliptic curves—and in addition, they may reveal information about the endomorphism ring. But we know that every superspecial abelian surface is isomorphic to an elliptic product as an unpolarised abelian variety, so why not go looking for a new supersingular elliptic curve directly in ?
From a computational point of view, it is easier to work with curves on the Kummer surface, which is the quotient of by the action of the involution . The projective embeddings of the Kummer surface are easier to manage than those of the abelian surface , since they involve fewer equations and lower-dimensional ambient spaces; but they also retain much of the information of .
In this part, we consider the singular model in of the Kummer surface of an abelian surface . The model is defined by a single quartic equation (see e.g. [58, Eq. 3.1.8]). We write for the degree-two quotient map; this map is ramified precisely at the sixteen -torsion points of , and the images of these points under are the singular points of , known as nodes. We denote the set of nodes by .
If is an elliptic curve, then the restriction of to defines a double cover of curves . It follows from the Riemann–Hurwitz formula that is either an elliptic curve or a genus-0 curve; is an elliptic curve if and only if is unramified along ; and is a genus- curve if and only if is ramified at precisely points.
This observation provides two ideas for constructing a new supersingular elliptic curve from a superspecial abelian surface :
-
1.
Find an elliptic curve on that does not go through any of the nodes of .
-
2.
Find a genus- curve on that goes through precisely of the nodes of .
For both approaches, we consider the intersection of with a hyperplane .
Approach 1: For any hyperplane , the intersection is a plane quartic curve . If is non-singular then it is a genus- curve. If on the other hand is singular and has precisely two nodes then its (geometric) genus is . Hence, it is possible to obtain such genus- curves by constructing hyperplanes that contain precisely two of the nodes of . Each pair of nodes determines a one-parameter family of hyperplanes passing through them, and imposing singularity of the intersection at the nodes gives simple algebraic conditions on the parameter that let us choose “good” hyperplanes. (If required, one may define a birational map from to an elliptic curve in Weierstrass form.) There is an important caveat here: even if has genus 1, it may not be the image of an elliptic curve in .
In our experiments, we took to be the Kummer surface of the Jacobian of the superspecial curve over with . We note that this Jacobian is not Richelot-isogenous to any elliptic product (see e.g. [59, §4.15]), so we can be confident that any elliptic curves we find are not connected with some gluing along -torsion. Unfortunately, none of the elliptic curves we found using this approach were supersingular. We discuss reasons for this in §6.4 below.
Approach 2: This approach is doomed to fail: it is impossible to construct a hyperplane passing through precisely of the nodes of . Any three of the singular points in already define a hyperplane , and it turns out that this hyperplane must pass through exactly of the nodes. These hyperplanes, known as the tropes of the Kummer, are classical objects of study; there are sixteen of them, and the incidence structure formed by the intersections of tropes and nodes is a -configuration [60, §26].
If is a trope, then it is tangent to . The intersection is a smooth conic, taken twice, and the preimage of this conic in is isomorphic to the genus-2 curve generating as a Jacobian; its Weierstrass points are the ramified points above the six nodes (see [58, §3.7] for further details, including the explicit recovery of the genus-2 curve). This curve may degenerate to a union of two elliptic curves joined at one point, but then is an elliptic product itself, and these two elliptic curves are isomorphic to the factors—so we cannot obtain any new supersingular elliptic curves in this way.
6.3 Genus- curves on the desingularised Kummer
We can find more elliptic curves by computing the desingularization of the Kummer surface, which yields a smooth model in (see [58, Chapter 16] for more details). Concretely, let be a hyperelliptic curve. Then , where
is a smooth model of the Kummer surface of the Jacobian variety of (see Klein [61], and the survey articles by Dolgachev [62] and Edge [63]). As an intersection of three quadrics in , the intersection of with a hyperplane is a non-hyperelliptic genus- curve . We first explain how to construct different elliptic curves that arise as quotients of the curve , and later explore an alternative path where we choose hyperplanes in such a way that the curve is singular and its irreducible components are elliptic curves.
6.3.1 Elliptic curves as quotients
The intersection of the variety with a hyperplane defined by for some yields a non-hyperelliptic genus- curve . We are interested in certain elliptic curves with that arise as quotients of the curve . This situation is also studied by Stoll in [64]. The construction is depicted in Figure 7.
Lemma 4
Let and consider the involution in . Then
is a genus- curve.
Proof
The quotient map has degree . It is ramified at , a set of points, each with ramification index . The Riemann–Hurwitz formula gives , whence . ∎
We now show how to compute a Weierstrass equation for by example of the genus- curve , where
Moreover, we assume that since the other cases are obtained by permuting the variables.
First we simplify the equations defining using Gaussian elimination to obtain equations of the form
The quotient for is defined as the zero set of the two equations
in , where are such that . This corresponds to the image of under the projection projecting away from .
Note that is defined as the intersection of two quadrics in . To find a Weierstrass equation for this curve, let be a rational point. First perform a coordinate transformation such that and then consider the projection projecting away from the last coordinate. The restriction of this map to is birational and in particular the image of is a curve in defined by a cubic equation.
6.3.2 Singular hyperplane intersections
In this part we consider singular curves that arise as the intersection of with a hyperplane defined as for some coefficients . Such singular curves have geometric genus and there are different configurations that can occur. Since our goal is to find an elliptic curve, we are interested in singular curves that consist of several components with at least one of these an elliptic curve. Here, we discuss the construction of singular curves that consist of two elliptic curves intersecting in different points. This configuration is depicted in Figure 8.
Finding parameters such that the intersection is singular can be solved efficiently using linear algebra. For that purpose, one considers the jacobian matrix of the variety . Let denote the evaluation of at a point . Then is singular in if and only if . Note that the last row of the matrix is given by the vector , hence the parameters must be chosen such that is a linear combination of the first three rows of the matrix so that is singular.
For most choices of , the curve will consist of only one irreducible component with precisely one singular point. As mentioned before, we intend to construct a curve with two genus- components and singular points. One possibility to achieve this is to choose such that for two indices in . In that case, not only , but has rank for every with if and otherwise.
We used this approach for different Kummer surfaces coming from a superspecial abelian variety. We obtained singular genus- curves that consisted of two elliptic curves intersecting in points. The configuration is depicted in Figure 8. However, none of the elliptic curves obtained in that way were supersingular.
6.4 Why do we only obtain ordinary elliptic curves?
In §6.2 and §6.3 we succeeded in constructing elliptic curves from the Kummer surfaces of superspecial abelian surfaces. However, these elliptic curves were not supersingular in most cases. At first glance this might contradict the intuition that we expect elliptic curves on superspecial abelian surfaces to be supersingular. To understand this situation, it is necessary to study the preimages of the constructed elliptic curves in the corresponding abelian surface.
Let us consider the second approach from §6.3, where we constructed elliptic curves in . If is an elliptic curve, then is a (possibly singular) genus- curve. On the other hand has genus if and only if the cover is unramified along . This means that must not go through any of the singular points . The preimages of the sixteen nodes of are lines in ; we write for this set of lines. Translating our condition on to , we see that should not intersect with . But using explicit descriptions of (see e.g. [65, §2.2]), it is easy to see that there does not exist a hyperplane in having trivial intersection with all of these lines. This shows that the elliptic curve does not correspond to an elliptic curve in .
A similar argument holds for the elliptic curves constructed in §6.2. The situation in the first approach of §6.3, where elliptic curves where constructed as quotients of genus- curves on is different. One can show that the Jacobian of the genus- curve as above, is isogenous to . But it is not clear if there is a relation to . We leave this as an open question.
Question 1
What is the relation between the elliptic curves and the Jacobian of the initial hyperelliptic curve?
Experimental results show that for each genus- curve, we find isomorphism classes of elliptic curves . In most cases, the elliptic curves are not supersingular. When starting with , we obtain a mix of ordinary and supersingular elliptic curves. If it is supersingular, the -invariant is .
7 Quantum algorithm for sampling a hard curve
On a classical computer, the CGL hash function returns a random curve in the supersingular -isogeny graph. As described in the introduction, if one wishes the curve to be a “hard curve” then the drawback to this approach is the need for a trusted party who will throw away the path information generated by the hash function. Classically, the trusted party seems difficult to avoid. In this section, we explore the possibility of using a quantum computer to efficiently sample a hard curve from the isogeny graph without leaking any information about the endomorphism ring of the curve.
Although it may be possible to create a quantum algorithm that, when run on a quantum computer, makes the path information inaccessible, there is still a drawback. Given a curve , we do not know if it was sampled using a classical computer (with an algorithm leaking information about ) or a quantum computer. Perhaps one can imagine a situation in which all parties inspect the quantum computer and agree it is a quantum computer, and run the program under observation. However, one may debate whether this situation differs appreciably from the situation in which all parties inspect a classical algorithm designed to delete the path information during its execution, and agree that it will delete it before it can be accessed. Perhaps one can hope for a means of making the quantum computation “auditable” in some way, but we do not have such a method here. In particular, even if this method samples a uniformly random supersingular curve, it cannot be turned into a hash function in the manner described in the introduction.
Leaving these concerns aside for now, we present below a novel mathematical approach to producing random supersingular curves. We use the idea of continuous-time quantum walks on isogeny graphs of supersingular elliptic curves in characteristic . The idea was first proposed by Kane, Sharif and Silverberg [66, 67] for constructing public-key quantum money. In their scheme, quantum walks are carried out over the ideal class group of a quaternion algebra; we adapt these walks to isogeny graphs. The key observation we make here is that the distribution of the curves defined by our sampling algorithm coincides with the limiting distribution of the quantum walks on the graphs.
7.1 Quantum computing background
A qubit holds a quantum state that is a superposition (unit length -linear combination) of the two possible classical states of a bit, i.e. an element of complex norm of . An -qubit quantum register holds a quantum state that is a higher-dimensional analogue: an element of complex norm in . Given any orthonormal basis of the -vector space, we can rewrite the state in that basis: . Some of the power of quantum computers comes from the fact that superpositions of qubits lie in an dimensional state space: the -fold tensor product of the individual -dimensional state spaces (indeed ). Most of those states are entangled, meaning that they are not simple tensors in the bases for the individual qubits.
A quantum state cannot be observed except by measurement in an orthonormal basis , a process which collapses the state to one of the basis elements , where state is obtained with probability (the unit length condition implies a valid probability distribution). If there are several registers, we can measure just one, obtaining a superposition of the remaining registers. In a superposition , if we measure the first register, we obtain state (where is chosen to scale to unit length) for some , with probability .
To get started on a quantum computer, one can initialize simple states such as uniform superpositions . A quantum computer then operates on quantum states by unitary operators. Among the most famous is the quantum Fourier transform, whose matrix is that of the inverse discrete Fourier transform. In particular, it operates by
Classical algorithms can be performed in a quantum manner on one quantum register to store the output in another. In particular, for an efficiently computable function we can perform the operation
7.2 Sampling curves on a quantum computer
7.2.1 A naïve approach.
To mimic the CGL algorithm in superposition, we first generate the superposition
where is the number of supersingular curves. Then simultaneously for each , we use the classical CGL algorithm to compute a curve , at the end of the path associated to , storing the result in a second register. The resulting superposition is
Measuring this state collapses the superposition to a classical state for some uniformly random . This is exactly the output of the CGL algorithm for a random input , so the above procedure does not do anything more than the classical CGL. In particular, the path is stored in the first register. One way to avoid revealing the path is to apply the quantum Fourier transform to the first register and measure the result. The state we get is
for some uniformly random . Now, measuring this state produces a uniformly random curve without revealing anything about the path . However, this approach does not have any advantage over the classical CGL algorithm, as performing the quantum Fourier transform to “hide” the path information is analogous to including instructions to discard the path information in the classical CGL. In particular, if one measured the first register before the quantum Fourier transform is applied, one could recover the path information. Such runtime interference would not be detectable from the output state alone.
7.2.2 Continuous-time quantum walk algorithm.
One way to model random walks on a graph is to apply the adjacency matrix as an operator on the real vector space generated by the vertices (a Markov process). Naïvely, one might hope to mimic this on a superposition of the vertices, but unfortunately, this matrix is not unitary. The substitute is the notion of a quantum walk, where the adjacency matrix is replaced by its exponential, which is unitary.
The adjacency matrix of the -isogeny graph is an matrix called the Brandt matrix. Let us assume, for simplicity, that is symmetric.222This assumption is satisfied for a mild condition on the characteristic . Let be the set of supersingular elliptic curves in characteristic . The operator acts on the module
In the quantum setting, we will work with the complex Euclidean space
Note that in order to implement this space on a quantum computer, we use a computational basis of -invariants, so we will include ordinary curves also. However the random walk, if initiated with a supersingular curve, will restrict itself to the subspace generated by the set of supersingular curves.
Let . The operator is unitary (since is hermitian) and its eigenvalues are for the eigenvalues of . The operator implements a continuous-time quantum walk at time on the -isogeny graph. The application of this for us is that from this quantum walk we can obtain a certain probability distribution on supersingular elliptic curves, and the ability to draw from this distribution to produce a random supersingular elliptic curve (once again, according to this distribution). This is done in the following way: fix an initial supersingular curve and a bound , pick a time uniformly at random, compute and measure in the basis . The probability of measuring a curve is then given by [68, Chapter 16]
(12) |
For this process to be useful, we must answer two questions about the distribution (12) on the vertices of the -isogeny graph: (i) How efficient is sampling from this distribution? and (ii) Do samples leak information about endomorphism rings?
We comment on the second question first: The question of information leakage requires that we understand the distribution (12) and the endomorphism rings of its outputs. However, given an initial curve , this distribution seems difficult to analyse. In particular, it is not the same as the distribution of endpoints of a classical random walk on the -isogeny graph.
Regarding efficiency, for any prime , the operator is sparse in the sense that there are only nonzero entries in each row or column. Therefore, is a good candidate for a Hamiltonian of continuous-time quantum walks; we can use standard Hamiltonian simulation techniques to implement the quantum walk operator . However, the running time of the best known simulation algorithm depends linearly on [69]. Therefore, these quantum walks can efficiently be performed only for time .
7.2.3 Moving to a limiting distribution.
To remedy these issues, we consider the limiting distribution of (12). Let , be a set of eigenvectors of and let be the corresponding eigenvalues. It can be shown that [68, Section 16.6]
(13) |
This limiting distribution is more tractable than (12), as it is stated in terms of the spectral theory of the graph. In practice, for the distribution (12) to be negligibly close to (13), the value must be large for any . However, the eigenvalues of are all in the range , so there are some eigenvalues that are exponentially close to each other. This means that for us to assume that we are sampling according to (13), we must select to be exponentially large. But, as mentioned above, we can only implement the walk operator for polynomially large . Therefore, if we wish to use this nicer distribution, we need a different sampling algorithm which is efficient for larger .
There is a (heuristic) polynomial time algorithm for sampling according to the limiting distribution (13) using phase estimation. This algorithm is based on the crucial fact that the set of operators have a simultaneous set of eigenstates, namely the , from above. Since is a basis, we can write
Now let be a set of primes of size . Quantum phase estimation is an algorithm to recover the phase (which contains the eigenvalue information) of a unitary operator . Specifically, if for , the algorithm recovers an approximation to . We will use phase estimation on the operator with the input state . Let be the eigenvalue of corresponding to the eigenstate . Then, because of the relationship between the eigenvalues of and those of , after phase estimation we obtain the state
(14) |
where . Measuring the second register (which reveals a value ) we obtain a state that is a projection of the state (14) onto a smaller subspace . If we repeat this procedure but now with the operator and the input state , we get a new state that is the projection of onto a smaller subspace . If is large enough, repeating this procedure for all the remaining we end up with some eigenstate with probability ; see [66, 67] for a detailed analysis of this claim. Now, if we measure in the basis , we obtain a curve with probability . Therefore, is a sample from the distribution (13).
7.2.4 Challenges.
This proposed method still presents a few important questions. First, a theoretical analysis of the distribution (13) is needed. As the -isogeny graph is heuristically believed to behave as a random -regular graph, one hopes this distribution will approach the uniform distribution over supersingular curves mod . Second, the measurement process for phase estimation reveals a series of approximations to the eigenvalues of the eigenstate under the operators . It is unknown whether revealing this partial eigensystem reveals any information, for example about the likely endomorphism ring of the resulting curve.
References
- [1] Bröker, R. (2009) Constructing supersingular elliptic curves. J. Comb. Number Theory, 1, 269–273.
- [2] Charles, D. X., Lauter, K. E., and Goren, E. Z. (2009) Cryptographic hash functions from expander graphs. J. Cryptology, 22, 93–113.
- [3] Couveignes, J.-M. (2006), Hard homogeneous spaces. Cryptology ePrint Archive, Paper 2006/291, https://eprint.iacr.org/2006/291.
- [4] Rostovtsev, A. and Stolbunov, A. (2006), Public-key cryptosystem based on isogenies. Cryptology ePrint Archive, Paper 2006/145, https://eprint.iacr.org/2006/145.
- [5] Castryck, W., Lange, T., Martindale, C., Panny, L., and Renes, J. (2018) CSIDH: An efficient post-quantum commutative group action. Peyrin, T. and Galbraith, S. D. (eds.), ASIACRYPT 2018, vol. 11274 of Lecture Notes in Computer Science, pp. 395–427, Springer.
- [6] Yoo, Y., Azarderakhsh, R., Jalali, A., Jao, D., and Soukharev, V. (2017) A post-quantum digital signature scheme based on supersingular isogenies. International Conference on Financial Cryptography and Data Security, vol. 10322 of Lecture Notes in Computer Science, pp. 163–181, Springer, Springer.
- [7] Galbraith, S. D., Petit, C., and Silva, J. (2020) Identification protocols and signature schemes based on supersingular isogeny problems. Journal of Cryptology, 33, 130–175.
- [8] Feo, L. D. and Galbraith, S. D. (2019) SeaSign: Compact isogeny signatures from class group actions. EUROCRYPT (3), vol. 11478 of Lecture Notes in Computer Science, pp. 759–789, Springer.
- [9] Decru, T., Panny, L., and Vercauteren, F. (2019) Faster SeaSign signatures through improved rejection sampling. PQCrypto 2019, vol. 11505 of Lecture Notes in Computer Science, pp. 271–285, Springer.
- [10] Beullens, W., Kleinjung, T., and Vercauteren, F. (2019) CSI-FiSh: Efficient isogeny based signatures through class group computations. ASIACRYPT (1), vol. 11921 of Lecture Notes in Computer Science, pp. 227–247, Springer.
- [11] Feo, L. D., Kohel, D., Leroux, A., Petit, C., and Wesolowski, B. (2020) SQISign: Compact post-quantum signatures from quaternions and isogenies. Moriai, S. and Wang, H. (eds.), ASIACRYPT 2020, vol. 12491 of Lecture Notes in Computer Science, pp. 64–93, Springer.
- [12] Jao, D. and Feo, L. D. (2011) Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. International Workshop on Post-Quantum Cryptography, pp. 19–34, Springer.
- [13] Castryck, W. and Decru, T. (2022), An efficient key recovery attack on SIDH (preliminary version). Cryptology ePrint Archive, Paper 2022/975, https://eprint.iacr.org/2022/975.
- [14] Maino, L. and Martindale, C. (2022), An attack on SIDH with arbitrary starting curve. Cryptology ePrint Archive, Paper 2022/1026, https://eprint.iacr.org/2022/1026.
- [15] Robert, D. (2022), Breaking SIDH in polynomial time. Cryptology ePrint Archive, Paper 2022/1038, https://eprint.iacr.org/2022/1038.
- [16] Eisenträger, K., Hallgren, S., Lauter, K. E., Morrison, T., and Petit, C. (2018) Supersingular isogeny graphs and endomorphism rings: Reductions and solutions. Nielsen, J. B. and Rijmen, V. (eds.), EUROCRYPT 2018 Proceedings, Part III, vol. 10822 of Lecture Notes in Computer Science, pp. 329–368, Springer.
- [17] Galbraith, S. D., Petit, C., Shani, B., and Ti, Y. B. (2016) On the security of supersingular isogeny cryptosystems. Cheon, J. H. and Takagi, T. (eds.), ASIACRYPT 2016 Proceedings, Part I, vol. 10031 of Lecture Notes in Computer Science, pp. 63–91.
- [18] Wesolowski, B. (2022) The supersingular isogeny path and endomorphism ring problems are equivalent. 2021 IEEE 62nd Annual Symposium on Foundations of Computer Science (FOCS), pp. 1100–1111, IEEE.
- [19] Boneh, D. and Love, J. (2020) Supersingular curves with small noninteger endomorphisms. ANTS XIV—Proceedings of the Fourteenth Algorithmic Number Theory Symposium, vol. 4 of Open Book Series, pp. 7–22, Mathematical Sciences Publishers.
- [20] Castryck, W., Panny, L., and Vercauteren, F. (2020) Rational isogenies from irrational endomorphisms. Canteaut, A. and Ishai, Y. (eds.), EUROCRYPT 2020 Proceedings, Part II, vol. 12106 of Lecture Notes in Computer Science, pp. 523–548, Springer.
- [21] Alamati, N., Feo, L. D., Montgomery, H., and Patranabis, S. (2020) Cryptographic group actions and applications. Moriai, S. and Wang, H. (eds.), ASIACRYPT 2020 Proceedings, Part II, vol. 12492 of Lecture Notes in Computer Science, pp. 411–439, Springer.
- [22] De Feo, L., Masson, S., Petit, C., and Sanso, A. (2019) Verifiable delay functions from supersingular isogenies and pairings. ASIACRYPT 2019, pp. 248–277, Springer.
- [23] Moriya, T., Takashima, K., and Takagi, T. (2020) Group key exchange from CSIDH and its application to trusted setup in supersingular isogeny cryptosystems. Liu, Z. and Yung, M. (eds.), Information Security and Cryptology, Cham, pp. 86–98, Springer International Publishing.
- [24] Basso, A., Codogni, G., Connolly, D., De Feo, L., Fouotsa, T. B., Lido, G. M., Morrison, T., Panny, L., Patranabis, S., and Wesolowski, B. (2023) Supersingular curves you can trust. Hazay, C. and Stam, M. (eds.), Advances in Cryptology – EUROCRYPT 2023, Cham, pp. 405–437, Springer Nature Switzerland.
- [25] Burdges, J. and Feo, L. D. (2021) Delay encryption. Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 302–326, Springer.
- [26] Boneh, D., Kogan, D., and Woo, K. (2020) Oblivious pseudorandom functions from isogenies. International Conference on the Theory and Application of Cryptology and Information Security, pp. 520–550, Springer.
- [27] Basso, A., Kutas, P., Merz, S.-P., Petit, C., and Sanso, A. (2021) Cryptanalysis of an oblivious PRF from supersingular isogenies. International Conference on the Theory and Application of Cryptology and Information Security, pp. 160–184, Springer.
- [28] Petit, C. (2017) Faster algorithms for isogeny problems using torsion point images. ASIACRYPT 2017 Proceedings, Part II, pp. 330–353.
- [29] Quehen, V. d., Kutas, P., Leonardi, C., Martindale, C., Panny, L., Petit, C., and Stange, K. E. (2021) Improved torsion-point attacks on SIDH variants. Malkin, T. and Peikert, C. (eds.), CRYPTO 2021 Proceedings, Part III, vol. 12827 of Lecture Notes in Computer Science, pp. 432–470, Springer, Springer.
- [30] Kutas, P., Merz, S.-P., Petit, C., and Weitkämper, C. (2021) One-way functions and malleability oracles: Hidden shift attacks on isogeny-based protocols. Canteaut, A. and Standaert, F. (eds.), EUROCRYPT 2021 Proceedings, Part I, vol. 12696 of Lecture Notes in Computer Science, pp. 242–271, Springer, Springer.
- [31] Azarderakhsh, R., Jao, D., Koziel, B., LeGrow, J. T., Soukharev, V., and Taraskin, O. (2020) How not to create an isogeny-based PAKE. International Conference on Applied Cryptography and Network Security, pp. 169–186, Springer.
- [32] Wesolowski, B. (2021) Orientations and the supersingular endomorphism ring problem. IACR Cryptol. ePrint Arch., p. 1583.
- [33] Mula, M., Murru, N., and Pintore, F. (2022), On random sampling of supersingular elliptic curves. Cryptology ePrint Archive, Paper 2022/528, https://eprint.iacr.org/2022/528.
- [34] Silverman, J. H. (2009) The arithmetic of elliptic curves, vol. 106 of Graduate Texts in Mathematics. Springer, Dordrecht, second edn.
- [35] Goldfeld, D. M. (1974) A simple proof of Siegel’s theorem. Proc. Nat. Acad. Sci. U.S.A., 71, 1055.
- [36] Delfs, C. and Galbraith, S. D. (2016) Computing isogenies between supersingular elliptic curves over . Des. Codes Cryptogr., 78, 425–440.
- [37] Martins, R., Panario, D., and Qureshi, C. (2019) A survey on iterations of mappings over finite fields. Schmidt, K.-U. and Winterhof, A. (eds.), Combinatorics and Finite Fields: Difference Sets, Polynomials, Pseudorandomness and Applications, vol. 23 of Radon Ser. Comput. Appl. Math., pp. 135–172, De Gruyter.
- [38] Flajolet, P. and Odlyzko, A. M. (1990) Random mapping statistics. Advances in cryptology—EUROCRYPT ’89 (Houthalen, 1989), vol. 434 of Lecture Notes in Comput. Sci., pp. 329–354, Springer, Berlin.
- [39] Lang, S. (1987) Elliptic functions, vol. 112 of Graduate Texts in Mathematics. Springer-Verlag, New York, second edn., with an appendix by J. Tate.
- [40] Chenu, M. and Smith, B. (2022) Higher-degree supersingular group actions. Mathematical Cryptology, 1, 85–101.
- [41] Arpin, S. (2022) Adding level structure to supersingular elliptic curve isogeny graphs, arXiv:2203.03531.
- [42] Arpin, S., Camacho-Navarro, C., Lauter, K., Lim, J., Nelson, K., Scholl, T., and Sotáková, J. (2021) Adventures in supersingularland. Experimental Mathematics, 0, 1–28.
- [43] Eisenträger, K., Hallgren, S., Leonardi, C., Morrison, T., and Park, J. (2020) Computing endomorphism rings of supersingular elliptic curves and connections to path-finding in isogeny graphs. ANTS XIV—Proceedings of the Fourteenth Algorithmic Number Theory Symposium, vol. 4 of Open Book Series, pp. 215–232, Mathematical Sciences Publishers.
- [44] Arpin, S., Chen, M., Lauter, K. E., Scheidler, R., Stange, K. E., and Tran, H. T. N. (2022) Orienteering with one endomorphism. IACR Cryptol. ePrint Arch., p. 098.
- [45] Chen, M. and Xue, J. (2022) On -roots of the Hilbert class polynomial modulo , arXiv:2202.04317.
- [46] Sutherland, A. V. (2012) Identifying supersingular elliptic curves. LMS Journal of Computation and Mathematics, 15, 317–325.
- [47] Möller, N. (2008) On Schönhage’s algorithm and subquadratic integer GCD computation. Math. Comp., 77, 589–607.
- [48] Bröker, R., Lauter, K., and Sutherland, A. V. (2012) Modular polynomials via isogeny volcanoes. Math. Comp., 81, 1201–1231.
- [49] Schoof, R. (1985) Elliptic curves over finite fields and the computation of square roots . Mathematics of Computation, 44, 483–494.
- [50] Rojas, J. M. (1999) Solving degenerate sparse polynomial systems faster. Journal of Symbolic Computation, 28, 155–186.
- [51] Pries, R. (2008) A short guide to -torsion of abelian varieties in characteristic . Computational arithmetic geometry, vol. 463 of Contemporary Mathematics, pp. 121–129, American Mathematical Society.
- [52] Oort, F. (1975) Which abelian surfaces are products of elliptic curves? Mathematische Annalen, 214, 35–48.
- [53] Richelot, F. J. (1837) De transformatione integralium Abelianorum primi ordinis commentatio. Journal für die reine und angewandte Mathematik, 16, 285–341.
- [54] Kani, E. (1997) The number of curves of genus two with elliptic differentials. J. reine angew. Math., 1997, 93–122.
- [55] Costello, C. and Smith, B. (2020) The supersingular isogeny problem in genus 2 and beyond. International Conference on Post-Quantum Cryptography, PQCrypto 2020, pp. 151–168, Springer.
- [56] Florit, E. and Smith, B. (2022) Automorphisms and isogeny graphs of abelian varieties, with applications to the superspecial Richelot isogeny graph. Anni, S., Karemaker, V., and Lorenzo García, E. (eds.), Arithmetic, geometry, cryptography and coding theory 2021, Contemporary Mathematics, American Mathematical Society, to appear.
- [57] Ibukiyama, T., Katsura, T., and Oort, F. (1986) Supersingular curves of genus two and class numbers. Compositio Mathematica, 57, 127–152.
- [58] Cassels, J. W. S. and Flynn, E. V. (1996) Prolegomena to a middlebrow arithmetic of curves of genus , vol. 230 of London Mathematical Society Lecture Note Series. Cambridge University Press, Cambridge.
- [59] Florit, E. and Smith, B. (2022) An atlas of the Richelot isogeny graph. RIMS Kôkyûroku Bessatsu, to appear.
- [60] Hudson, R. W. H. T. (1905) Kummer’s quartic surface. Cambridge University Press, Cambridge.
- [61] Klein, F. (1870) Zur Theorie der Liniencomplexe des ersten und zweiten Grades. Mathematische Annalen, 2, 198–226.
- [62] Dolgachev, I. (2019) Kummer surfaces: 200 years of study. Notices of the American Mathematical Society, 67.
- [63] Edge, W. L. (1967) A new look at the Kummer surface. Canadian Journal of Mathematics, 19, 952–967.
- [64] Stoll, M. (2019) Diagonal genus 5 curves, elliptic curves over , and rational diophantine quintuples. Acta Arithmetica, 190, 239–261.
- [65] Castorena, A. and Frías-Medina, J. B. (2021) Geometric aspects on Humbert-Edge’s curves of type 5, Kummer surfaces and hyperelliptic curves of genus 2, arXiv:2106.00813.
- [66] Kane, D. M. (2018) Quantum money from modular forms, arXiv:1809.05925.
- [67] Kane, D. M., Sharif, S., and Silverberg, A. (2021) Quantum money from quaternion algebras, arXiv:2109.12643.
- [68] Childs, A. Lecture notes on quantum algorithms, https://www.cs.umd.edu/~amchilds/qa/.
- [69] Berry, D. W., Childs, A. M., and Kothari, R. (2015) Hamiltonian simulation with nearly optimal dependence on all parameters. 2015 IEEE 56th Annual Symposium on Foundations of Computer Science, pp. 792–809, IEEE.