# Failing to hash into supersingular isogeny graphs

@article{Booher2022FailingTH, title={Failing to hash into supersingular isogeny graphs}, author={Jeremy Booher and Ross Bowden and Javad Doliskani and Tako Boris Fouotsa and Steven D. Galbraith and Sabrina Kunzweiler and Simon-Philipp Merz and Christophe Petit and Benjamin A. Smith and Katherine E. Stange and Yan Bo Ti and Christelle Vincent and Jos{\'e} Felipe Voloch and Charlotte Weitk{\"a}mper and Lukas Zobernig}, journal={IACR Cryptol. ePrint Arch.}, year={2022}, volume={2022}, pages={518} }

. An important open problem in supersingular isogeny-based cryptography is to produce, a trusted authority, concrete examples of “hard supersingular curves,” that is, concrete supersingular curves for which computing the endomorphism ring is as diﬃcult as it is for random supersingular curves. Or, even better, to produce a hash function to the vertices of the supersingular (cid:96) -isogeny graph which does not reveal the endomorphism ring, or a path to a curve of known endomorphism ring. Such…

## Figures and Tables from this paper

## One Citation

### Updatable Encryption from Group Actions

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2022

It is proved that UE can be built from an ETOGA and how to instantiate this abstract structure from isogeny-based group actions, which are not mappable.

## References

SHOWING 1-10 OF 64 REFERENCES

### Orientations and the supersingular endomorphism ring problem

- Mathematics, Computer ScienceIACR Cryptol. ePrint Arch.
- 2021

Two important families of problems in isogeny-based cryptography are studied: computing the endomorphism ring of supersingular elliptic curves, and inverting the action of class groups on oriented supersingularity curves are proved to be closely related through polynomial-time reductions.

### Computing endomorphism rings of supersingular elliptic curves and connections to path-finding in isogeny graphs

- Mathematics, Computer Science
- 2020

A new algorithm for computing the endomorphism ring of a supersingular elliptic curve E that runs, under certain heuristics, in time $O((\log p)^2p^{1/2})$.

### Orienteering with one endomorphism

- Mathematics, Computer ScienceIACR Cryptol. ePrint Arch.
- 2022

Although the most general runtimes are subexponential, this paper demonstrates a class of (potentially large) endomorphisms, for any supersingular elliptic curve, for which the classical runtime is polynomial.

### Towards Quantum-Resistant Cryptosystems from Supersingular Elliptic Curve Isogenies

- Computer Science, MathematicsPQCrypto
- 2011

A new zero-knowledge identification scheme and detailed security proofs for the protocols, and a new, asymptotically faster, algorithm for key generation, a thorough study of its optimization, and new experimental data are presented.

### Adventures in Supersingularland

- Mathematics, Computer ScienceIACR Cryptol. ePrint Arch.
- 2019

This paper considers four aspects of supersingular isogeny graphs, study each thoroughly and, where appropriate, discuss how they relate to one another, and provides an analysis of the distances of connected components of $\mathcal{S}$.

### On the Security of Supersingular Isogeny Cryptosystems

- Computer Science, MathematicsASIACRYPT
- 2016

This work gives a very powerful active attack on the supersingular isogeny encryption scheme, and shows that the security of all schemes of this type depends on the difficulty of computing the endomorphism ring of asupersingular elliptic curve.

### The supersingular isogeny path and endomorphism ring problems are equivalent

- Mathematics, Computer Science2021 IEEE 62nd Annual Symposium on Foundations of Computer Science (FOCS)
- 2022

We prove that the path-finding problem in isogeny graphs and the endomorphism ring problem for supersingular elliptic curves are equivalent under reductions of polynomial expected time, assuming the…

### One-way functions and malleability oracles: Hidden shift attacks on isogeny-based protocols

- Mathematics, Computer ScienceIACR Cryptol. ePrint Arch.
- 2021

It is shown that for sufficiently unbalanced and overstretched SIDH parameters, this action can be efficiently computed (heuristically) using the torsion point information revealed in the protocol, and this reduces the underlying hardness assumption to a hidden shift problem instance which can be solved in quantum subexponential time.

### Cryptographic Hash Functions from Expander Graphs

- Mathematics, Computer ScienceJournal of Cryptology
- 2007

This work investigates two specific families of optimal expander graphs for provable collision resistant hash function constructions: the families of Ramanujan graphs constructed by Lubotzky-Phillips-Sarnak and Pizer respectively.

### Improved Torsion-Point Attacks on SIDH Variants

- Mathematics, Computer ScienceCRYPTO
- 2021

A classical attack that completely breaks the n-party group key exchange of [2] for 6 parties or more, and a quantum attack for 3 parties ormore that improves on the best known asymptotic complexity.