Hash functions from superspecial genus-2 curves using Richelot isogenies

Wouter Castryck; Thomas Decru; Benjamin Smith

doi:10.1515/jmc-2019-0021

Open Access Published by De Gruyter August 7, 2020

Hash functions from superspecial genus-2 curves using Richelot isogenies

Wouter Castryck , Thomas Decru and Benjamin Smith

From the journal Journal of Mathematical Cryptology

https://doi.org/10.1515/jmc-2019-0021

Abstract

In 2018 Takashima proposed a version of Charles, Goren and Lauter’s hash function using Richelot isogenies, starting from a genus-2 curve that allows for all subsequent arithmetic to be performed over a quadratic finite field 𝔽_p². In 2019 Flynn and Ti pointed out that Takashima’s hash function is insecure due to the existence of small isogeny cycles. We revisit the construction and show that it can be repaired by imposing a simple restriction, which moreover clarifies the security analysis. The runtime of the resulting hash function is dominated by the extraction of 3 square roots for every block of 3 bits of the message, as compared to one square root per bit in the elliptic curve case; however in our setting the extractions can be parallelized and are done in a finite field whose bit size is reduced by a factor 3. Along the way we argue that the full supersingular isogeny graph is the wrong context in which to study higher-dimensional analogues of Charles, Goren and Lauter’s hash function, and advocate the use of the superspecial subgraph, which is the natural framework in which to view Takashima’s 𝔽_p²-friendly starting curve.

Keywords: Isogeny; Cryptography

MSC 2010: 14K02; 14G50; 94A60

1 Introduction

After a cautious start with Couveignes’ unpublished note [1] from 1997 and Stolbunov’s master thesis [2] from 2004, the area of isogeny-based cryptography took a more visible turn in 2006 when Charles, Goren and Lauter [3] showed how to construct collision-resistant hash functions from deterministic walks in isogeny graphs of supersingular elliptic curves over finite fields. Five years later Jao and De Feo applied similar ideas to the design of a key exchange protocol [4, 5] now known as SIDH, after which isogenies became a very active topic of cryptographic research, largely due to their promise of leading to quantum resistant hard problems. Some of the recent constructions include non-interactive key exchange [6, 7], signatures [8, 9, 10] and verifiable delay functions [11]. In January 2019 SIKE [12], which is an incarnation of SIDH, was chosen as one of the seventeen second-round contenders to become a NIST standard for post-quantum key establishment.^[1]

While almost all of the ongoing research in isogeny-based cryptography is devoted to elliptic curves, there is a general awareness that many proposals should generalize to principally polarized abelian varieties (e.g., jacobians) of arbitrary dimension. This particularly applies to the supersingular isogeny walks on which SIDH and Charles, Goren and Lauter’s hash function are based. In fact, in a follow-up paper [13, §6.2] the latter authors already hint at the possibility of a higher-dimensional analogue of their hash function. In 2018, Takashima [14, §4.2] made the concrete proposal of using jacobians of supersingular genus-2 curves and their 15 outgoing (2, 2)-isogenies, which can be evaluated efficiently through Richelot’s formulas. By disallowing backtracking he uses this to process one base-14 digit for each isogeny evaluation. Moreover he provides specific starting curves, such as y² = x⁵ + 1 over 𝔽_p with p ≡ 4 mod 5, which allow for all computations to be done over 𝔽_p², as was shown by himself and Yoshida about a decade ago [15]. Unfortunately Takashima’s hash function is not collision-resistant due to the inherent presence of small cycles in the resulting isogeny graph, as was pointed out very recently by Flynn and Ti [16], who then proceeded with studying a genus-2 variant of SIDH.

The contributions of this paper are as follows. First, in Section 2 we argue that the full supersingular isogeny graph is the wrong arena for higher-dimensional analogues of Charles, Goren and Lauter’s hash function, and promote the use of superspecial subgraphs. In doing so we give a natural explanation for why Takashima and Yoshida’s starting curve indeed allows for all subsequent arithmetic to be carried out in 𝔽_p². Second, some first properties of the (2, 2)-isogeny graph of superspecial principally polarized abelian surfaces are gathered and proved in Section 4 and Appendix A. Third and foremost, we repair Takashima’s hash function by showing that an extremely simple restriction (which still allows us to process one base-8 digit, i.e., 3 bits per isogeny) both prevents the Flynn–Ti attack and simplifies the reasoning on security; we also show that with high probability, the starting curve y² = (x² – 1)(x² – 2x)(x – 1/2) over 𝔽_p with p ≡ 5 mod 6 naturally avoids running into products of elliptic curves, which as we will see are technical nuisances. The details can be found in Section 6 and Section 7. In Sections 8 and 9 we report on an implementation in Magma and compare its performance with the elliptic curve case of Charles, Goren and Lauter.

Why generalize?

Besides scientific curiosity, we see a number of motivations for investigating higher-dimensional isogeny-based cryptography:

There seem to exist beneficial trade-offs between the larger computational cost of each isogeny evaluation and features such as larger graph sizes, higher numbers of outgoing isogenies, or arithmetic in smaller finite fields. As an illustration of this, we note that in Charles, Goren and Lauter’s hash function one needs to compute one square root for each digested bit, while our proposal uses 3 square roots per 3 bits, which seems like no improvement at all, except that our square roots are to be extracted in finite fields of about one third of the bit size and can be handled in parallel. See Section 9 for some further comments on this.
The fact that higher-dimensional abelian varieties have torsion subgroups of larger rank may allow for a symmetric set-up of SIDH in which Alice and Bob sample their secrets from the same space (but this is not touched upon in the current paper).

2 Supersingular versus superspecial

One apparent point of concern is that in the case of elliptic curves over a finite field of characteristic p, supersingularity has many equivalent characterizations whose natural generalizations to higher dimension become distinct notions. For instance, one such characterization reads that the trace t of Frobenius satisfies t ≡ 0 mod p, which naturally generalizes to the requirement that the Hasse–Witt matrix M ∈ Fpg×g vanishes identically, this notion is called superspeciality.^[2] An alternative characterization states that the Newton polygon is a straight line segment with slope 1/2; this property makes sense in arbitrary dimension where it is still called supersingularity, but in dimension g ≥ 2 this is a weaker condition than superspeciality. A third characterization is that there exists no non-trivial p-torsion. This also makes sense in arbitrary dimension but in dimension g ≥ 3 it weakens the notion of supersingularity. A curve is called superspecial or supersingular if its accompanying jacobian is superspecial or supersingular respectively.

We refer to Li and Oort’s book [17] and to Brock’s thesis [18] and the references therein for general facts on supersingularity and superspeciality. Most notably, it can be shown that an abelian variety is supersingular if and only if it is isogenous to a product of supersingular elliptic curves, while it is superspecial if and only if it is isomorphic to such a product. Remarkably enough, in dimension g ≥ 2 all such products are isomorphic to each other, see e.g. [18, Thm. 2.1A] or [17, p. 13]. However, here we stress that ‘isogenous’ and ‘isomorphic’ should be understood in the context of abstract abelian varieties over 𝔽_p, discarding the principal polarization with which they may come equipped. In contrast, as p grows there exist many isomorphism classes of superspecial principally polarized abelian varieties, such as jacobians of superspecial curves: see Proposition 2 below for a precise count for g = 2.^[3] We will abbreviate principal polarization to p.p. from now on and will also assume that a product of elliptic curves always comes with the product polarization, unless stated otherwise.

We believe that the full graph of supersingular p.p. abelian varieties is the wrong context in which to study Charles–Goren–Lauter hash functions in dimension g ≥ 2. Instead we argue for use of the superspecial subgraph. Indeed, the moduli space of supersingular p.p. abelian varieties over 𝔽_p is ⌊g²/4⌋-dimensional [17, 4.9], whereas the superspecial sublocus is 0-dimensional [18, Thm. 3.9A]. The latter implies that there is only a finite number of them and, furthermore, they all admit a model over 𝔽_p² whose Frobenius endomorphism has characteristic polynomial χ(t) = (t ± p)^2g, in particular it acts as multiplication by ± p; see [20]. Assuming that p is odd, this implies that all 2-torsion is 𝔽_p²-rational, hence so are all (2, 2, …, 2)-isogenies and their codomains. By [18, Lem. 2.2A] these are again superspecial p.p. abelian varieties whose Frobenius has the same characteristic polynomial, so the argument repeats and we conclude that the full superspecial (2, 2, …, 2)-isogeny graph is defined over 𝔽_p². In fact, this is just an illustration of the general phenomenon that the rank of the Hasse–Witt matrix is invariant under separable isogenies, a proof of which can be found in Appendix C.

This clarifies the aforementioned observation by Takashima and Yoshida, whose starting curves are indeed superspecial. Several more examples of superspecial genus-2 curves over 𝔽_p can be found in [21], including y² = x⁵ – x which is superspecial if and only if p ≡ 5 or 7 mod 8, and y² = (x² – 1)(x² – 2x)(x – 1/2) which is superspecial if and only if p ≡ 5 mod 6. In characteristics 2 and 3 superspecial genus-2 curves do not exist. In general it seems unknown how to write down the equation of a random superspecial genus-2 curve.

Note that superspecial p.p. abelian varieties were also considered in Charles, Goren and Lauter’s follow-up paper [13], albeit in a more theoretical context and using different edge and vertex sets for the associated graphs.

3 Further preliminaries

3.1 Hyperelliptic curves of genus 2

Let K be a field of characteristic p > 5. A (hyperelliptic) curve of genus 2 overK is an algebraic curve defined by an equation of the form y² = f(x), where f(x) ∈ K[x] is a squarefree polynomial of degree 5 or 6. Up to K-isomorphism, any genus-2 curve has a representation with a monic polynomial of degree 6 and we will mostly work with these representations since it eases up the notation quite a bit. All formulas provided still work with a degree 5 polynomial if one sees the missing linear factor as 0 ⋅ x + 1. A genus-2 curve is completely determined (up to K-isomorphism) by weighted projective invariants called Igusa invariants. Since we only work over odd-characteristic fields, we opt to characterize them with the absolute Igusa variants defined in [22]. For our discussion it suffices to know that these invariants consist of an ordered triple (j₁, j₂, j₃) ∈ K³.

3.2 Richelot isogenies

A Richelot isogeny is a (2, 2)-isogeny between jacobians of genus-2 curves, i.e. the kernel of the isogeny is a group isomorphic to ℤ/2ℤ ⊕ ℤ/2ℤ that is maximal isotropic with regards to the 2-Weil pairing. Richelot isogenies split multiplication-by-2, in the sense that each Richelot isogeny ϕ : J_C → J_C′ has a unique dual Richelot isogeny ϕ̂ : J_C′ → J_C, and ϕ̂ ∘ ϕ = [2]_{J_C}. We recall here some of the facts about Richelot isogenies that are relevant to our construction; for a more in-depth discussion and a proof of Proposition 1, we refer to [23, Chapter 8].

The 2-torsion of the jacobian of the genus-2 curve C : y² = f(x) = ∏i=16(x – α_i) is {0} ∪ {[(α_i, 0)–(α_j, 0)] : i < j}, where the square brackets denote linear equivalence classes of divisors. A subgroup of the 2-torsion being maximal isotropic with regards to the 2-Weil pairing in this context simply means that the group contains exactly 3 non-trivial elements and that all α_i, 1 ≤ i ≤ 6, occur exactly once in all the representations combined. Hence the Richelot isogenies can be represented by sets of quadratic factors of f(x) that are pairwise coprime. More precisely, we define:

Definition 1

A quadratic splitting of a squarefree degree 6 (resp. degree 5) polynomial f(x) ∈ K[x] is an unordered triple {G₁, G₂, G₃} ⊂ K[x] of quadratic (resp. two quadratic and one linear) polynomials such that G₁G₂G₃ = f(x), considered modulo the equivalence

{G1,G2,G3}∼{βG1,γG2,(βγ)−1G3}for allβ,γ∈K¯×.

Returning to the above setting, let us write

G1=g1,3x2+g1,2x+g1,1=(x−α1)(x−α2),G2=g2,3x2+g2,2x+g2,1=(x−α3)(x−α4),G3=g3,3x2+g3,2x+g3,1=(x−α5)(x−α6),

where we incorporate the leading coefficients g_i,3 for the sake of generality (e.g., to cope with the degree 5 case where one of the g_i,3’s becomes zero). Then one sees that the (2, 2)-isogeny with kernel {0, [(α₁, 0) – (α₂, 0)], [(α₃, 0) – (α₄, 0)], [(α₅, 0) – (α₆, 0)]} can be identified by the quadratic splitting {G₁, G₂, G₃} of f(x).

There are 15 possible ways of organizing the roots α_i into distinct quadratic splittings. It is possible that the resulting quadratics are only defined over an extension of the field over which our curve C is defined, in which case both the corresponding (2, 2)-isogeny and its codomain also might be defined over this field extension. Nevertheless, if the splitting is fixed by Frobenius as a set, then the isogeny and codomain are defined over the ground field. As mentioned in Section 2, in the case of superspecial p.p. abelian surfaces, all domains, kernels, (2, 2)-isogenies and associated codomains are defined over 𝔽_p² up to isomorphism.

Proposition 1

LetC : y² = G₁(x) ⋅ G₂(x) ⋅ G₃(x) be a genus-2 curve, with {G₁, G₂, G₃} the quadratic splitting associated with a maximal 2-Weil isotropic subgroupS ⊂ J_C[2], and letϕ : J_C → A ≅ J_C/Sbe the quotient (2, 2)-isogeny. Following the notation above, let

δ:=detg1,3g1,2g1,1g2,3g2,2g2,1g3,3g3,2g3,1.

Ifδ ≠ 0, thenAis isomorphic to the jacobian of the genus-2 curve
C′:y2=δ−1H1(x)⋅H2(x)⋅H3(x)
where
H1:=G2′G3−G2G3′,H2:=G3′G1−G3G1′,H3:=G1′G2−G1G2′,
whereGi′is the derivative ofG_iwith respect tox. Moreover, {H₁, H₂, H₃} is a quadratic splitting corresponding to the dual isogenyϕ̂ : J_C′ → J_C.
Ifδ = 0, thenAis isomorphic to a product of elliptic curvesE₁ × E₂. The vanishing of the determinantδimplies that there exists₁ands₂in 𝔽_p²such that
Gi=ai,1(x−s1)2+ai,2(x−s2)2
for somea_i,1anda_i,2in 𝔽_p²fori = 1, 2, 3. The elliptic curves forming the product isomorphic toAcan be defined by the equations
E1:y2=∏i=13(ai,1x+ai,2),E2:y2=∏i=13(ai,1+ai,2x),
and the isogenyϕis induced byϕ₁ × ϕ₂, whereϕ₁ : C → E₁is (x, y) ↦ ((x – s₁)²/(x – s₂)², y/(x – s₂)³) andϕ₂ : C → E₂is (x, y) ↦ ((x – s₂)²/(x – s₁)², y/(x – s₁)³).

3.3 (2, 2)-isogenies from products of elliptic curves

We have treated the case of (2, 2)-isogenies whose domain is a jacobian; now we recall the corresponding results for the case where the domain is a product of elliptic curves. For proofs and more in-depth discussion, we refer to [24], [25] and [26].

Consider the p.p. abelian surface E₁ × E₂ given by the equations

E1:y2=∏i=13(x−αi),E2:y2=∏i=13(x−βi).

Just as in the case of jacobians of genus-2 curves, there are 15 outgoing (2, 2)-isogenies with domain E₁ × E₂. Of these, 9 correspond to an isogeny that is the product of 2-isogenies on the respective elliptic curves, such that the image of this isogeny is again simply a product of elliptic curves. The other 6 determine an isogeny where the kernel is given by

κ={(OE1,OE2),(P1,Qσ(1)),(P2,Qσ(2)),(P3,Qσ(3))},

with 𝓞_E₁ and 𝓞_E₂ are the neutral elements of E₁ and E₂, respectively, σ is a permutation of {1, 2, 3}, and P_i = (α_i, 0), Q_i = (β_i, 0).^[4] As long as κ is not the restriction of the graph of an isomorphism E₁ → E₂, the image of the isogeny determined by κ is the jacobian of a genus-2 curve which can be constructed as follows. Define Δ_α and Δ_β as the discriminants of the monic cubic polynomials ∏i=13(x−αi) and ∏i=13(x−βi) respectively, and

a1=(α3−α2)2/(β3−β2)+(α2−α1)2/(β2−β1)+(α1−α3)2/(β1−β3),b1=(β3−β2)2/(α3−α2)+(β2−β1)2/(α2−α1)+(β1−β3)2/(α1−α3),a2=α1(β3−β2)+α2(β1−β3)+α3(β2−β1),b2=β1(α3−α2)+β2(α1−α3)+β3(α2−α1).

It can be proved that Δ_α, Δ_β, a₁, b₁, a₂, b₂ are all nonzero, such that A = Δ_βa₁/a₂ and B = Δ_αb₁/b₂ are well defined and nonzero as well. With these notations in mind, the image of the (2, 2)-isogeny with kernel κ is the jacobian of the genus-2 curve given by the equation

y2=−A(α2−α1)(α1−α3)x2+B(β2−β1)(β1−β3)⋅A(α3−α2)(α2−α1)x2+B(β3−β2)(β2−β1)⋅A(α1−α3)(α3−α2)x2+B(β1−β3)(β3−β2).

The three factors on the right hand side constitute a quadratic splitting for the dual isogeny back to E₁ × E₂; note in particular that these factors are multiples of each other so that the corresponding value of δ is indeed 0.

The final case to consider is when we want to construct an isogeny with domain an abelian surface of the form E₁ × E₂, with E₁ ≅ E₂, and of which the kernel κ is the restriction of the graph of an isomorphism α : E₁ → E₂. The codomain is then the same as the domain and the (2, 2)-isogeny is given by

ϕ:E1×E2→E1×E2(P,Q)↦(P+α^(Q),−Q+α(P)),

which is clearly self-dual.

In particular, if E₁ ≅ E₂ we will have strictly fewer than six (2, 2)-isogenies from E₁ × E₂ to the jacobian of a genus-2 curve. The exact number in this case is given by the formula 6 – #Aut(E₁)/2. If the j-invariant of E₁ is 0 or 1728 then this expression is 3 or 4, respectively (under the assumption that p > 3). In all other cases this expression is 5 since the only automorphisms are ±1.

4 The superspecial (2, 2)-isogeny graph

For each prime p, we define a directed multigraph 𝓖_p as follows.^[5] The vertices of 𝓖_p represent the isomorphism classes of superspecial p.p. abelian surfaces defined over 𝔽_p. The graph 𝓖_p has an edge from vertex A₁ to vertex A₂ for every (2, 2)-isogeny from the superspecial p.p. abelian surface corresponding to A₁ to the one corresponding to A₂, again up to isomorphism. Here, isomorphisms of outgoing (2, 2)-isogenies are commutative diagrams

where ϕ and ϕ′ are (2, 2)-isogenies and ι is an isomorphism of superspecial p.p. abelian surfaces. Since the isomorphism class of an outgoing isogeny is uniquely determined by its kernel, this simply means that we have an outgoing edge for each (2, 2)-subgroup of A₁, i.e., each subgroup that is isomorphic to ℤ/2ℤ ⊕ ℤ/2ℤ and maximal isotropic with regards to the 2-Weil pairing.

By construction, 𝓖_p is a 15-regular (multi)graph, since both types of superspecial p.p. abelian surfaces have 15 different outgoing (2, 2)-isogenies. One might simplify the situation by combining parallel edges to turn 𝓖_p into a simple directed graph, but for our application we will need to distinguish between all 15 outgoing edges. In any case, for large p the number of parallel edges is expected to be negligible relative to the size of the graph (for very small p, where there are few superspecial p.p. abelian surfaces, the opposite holds—as we will see in §5).

Since every p.p. abelian surface is isomorphic (as a polarized abelian variety) to either the jacobian of a genus-2 curve or a product of elliptic curves, the vertices of 𝓖_p fall into two classes:

V(Gp)=Ep⊔Jp,

where 𝓔_p is the set of isomorphism classes corresponding to products of supersingular elliptic curves, and 𝓙_p is the set of isomorphism classes of superspecial genus-2 jacobians. Proposition 2 gives us the cardinalities of these subsets.

Proposition 2

Let 𝓖_p, 𝓔_p, and 𝓙_pbe defined as above.

Ifp = 2 or 3, then #𝓙_p = 0 and #𝓔_p = 1.
Ifp = 5, then #𝓙_p = 1 and #𝓔_p = 1.
Ifp > 5, then
#Jp=p3+24p2+141p−3462880+δp
and
#Ep=12p−112+ϵpp−112+ϵp+1,
whereδp∈[0,881720]depends only on p mod 120 andϵp∈0,76depends only onp mod 12.

Proof

The values for #𝓙_p appear in [18, Theorem 3.10(b)] or [21, Theorem 3.3]. The formulas for #𝓔_p follow from the fact that up to 𝔽_p-isomorphism, the number of supersingular elliptic curves over 𝔽_p is (p – 1)/12 + ϵ_p, where ϵp∈0,76 depends only on p mod 12 (see for example [27, Section V, Theorem 4.1(c)]).□

Proposition 2 implies that 𝓖_p is a finite graph, although this could already be derived from the fact that every isomorphism class of superspecial p.p. abelian surfaces has a representative defined over 𝔽_p². Asymptotically, we have

#Gp∼p3/2880,#Ep∼p2/288,#Jp∼p3/2880.

In particular, the proportion of superspecial p.p. abelian surfaces that are the product of two supersingular elliptic curves is O(1/p) relative to the total size of the graph: for p large, the number of vertices in 𝓖_p that are not in 𝓙_p is negligible.

Informally, when p is large, one could see 𝓔_p as the “boundary” of the graph 𝓖_p, and 𝓙_p as the “interior”. A first reason is the size argument we just made. A second reason is the connectivity of the 2 types of superspecial p.p. abelian surfaces that we briefly touched on in the preliminaries. Indeed, every product of elliptic curves has at least 9 out of 15 (2, 2)-isogenies that have a codomain that is a product of elliptic curves as well, hence this part of our graph is very well connected while only making up a fraction of our graph. Vice versa there is also no jacobian of a genus-2 curve that could be “hiding” in between the products of elliptic curves, which we can make precise with the following theorem.

Theorem 1

With the notation above:

Supposep ≠ 5. IfJis a vertex in 𝓙_p ⊂ 𝓖_p, then (counting multiplicity) at most 6 of the 15 edges out ofJare to vertices in 𝓔_p.
IfEis a vertex in 𝓔_p ⊂ 𝓖_p, then (counting multiplicity) at most 6 of the 15 edges out ofEare to vertices in 𝓙_p.

Proof

Part (2) of this theorem was mentioned in the preliminaries; it follows from the fact that 9 out of 15 (2, 2)-isogenies are simply a product of 2-isogenies from the elliptic factors. A proof of a more general formula can be found in [25]. For a proof of Part (1) using Gröbner bases, see Appendix A.^[6]□

A simple counting argument then tells us that for sufficiently large p, the chance of a vertex in 𝓙_p having a neighbour in 𝓔_p in our graph 𝓖_p is negligible. Intuitively this makes sense, since the δ in Proposition 1 is the determinant of a seemingly random 3 × 3 matrix for large p, and will therefore almost surely be nonzero.

We now state a pair of conjectures inspired by analogous theorems for the elliptic supersingular 2-isogeny graph.

Conjecture 1

The graph 𝓖_pis connected.^[7]

Conjecture 1 is the most natural from a mathematical point of view, but we will need something stronger for a more efficient implementation of a collision-free hash function. We mainly state it due to the analogy with the elliptic curve case.

Conjecture 2

The subgraph of 𝓖_psupported on 𝓙_pis connected.

Conjecture 2 (which is identical to Conjecture 1 in the elliptic case) is more relevant to our discussion. It implies that 𝓔_p not only makes no significant contribution to the size of 𝓖_p as p → ∞, but it is also not essential for connectivity. (Thus, again, we consider 𝓔_p to be the “boundary” of 𝓖_p.) Conjecture 2 implies Conjecture 1, since every vertex in 𝓔_p has at least 4 outgoing edges into 𝓙_p for p > 3 (as mentioned in the preliminaries). Similarly, Conjecture 2 follows from Conjecture 3 in Section 6, for which we have verified correctness up to and including p equal 1013.

As a final note, one may wonder if all non-superspecial supersingular p.p. abelian surfaces also form a similar connected component (which is necessarily infinite).^[8] Since we will not use these abelian surfaces, we will not explore that thought further.

5 The graph 𝓖₁₃

We now give a small example to show the possible case distinctions that can occur in the graphs 𝓖_p. We take p = 13, since this yields a small graph that still exhibits most of the subtleties and pathologies that we encounter in larger graphs.

Figure 1 shows 𝓖₁₃. There are 3 superspecial genus-2 curves defined over 𝔽₁₃ up to isomorphism, say C_i for i in {1, 2, 3}; we denote their jacobians by J_{C_i}. There is only 1 supersingular elliptic curve defined over 𝔽₁₃ up to isomorphism, say E, so there is only one vertex in 𝓖₁₃ that corresponds to a product of elliptic curves.

Figure 1

The graph 𝓖₁₃. The vertices J_{C_i}, i ∈ {1, 2, 3}, correspond to jacobians of genus-2 curves, whereas the vertex E × E corresponds to a product of elliptic curves. The numbers indicate the multiplicities of the edges.

First of all it is easily verifiable that there are at most 6 outgoing edges from any J_{C_i} to E × E, see Appendix A. Furthermore, since clearly E ≅ E, there are strictly fewer than 6 outgoing edges from E × E to jacobians of genus-2 curves. Since the j-invariant of E is not in {0, 1728}, we know from subsection 3.3 that there are exactly 5 such edges, so the remaining 10 must go to products of elliptic curves as well, which here (by lack of other options) means a loop with multiplicity 10.

This example also shows clearly why direction is important in the graph. There are 4 edges from J_C₁ to J_C₂, but only 1 edge back. In other words C₁ : y² = x⁵ – x has 4 quadratic splittings whose associated Richelot isogenies have J_C₂ as codomain, ^[9] while starting from any Weierstraß equation for C₂, only one quadratic splitting gives rise to a Richelot isogeny with J_C₁ as codomain. This stems from the fact that the 4 corresponding (2, 2)-subgroups of J_C₁ are mapped to each other by an automorphism of J_C₁. In other words the 4 resulting isogenies

ϕ1,…,ϕ4:JC1→JC2

are obtained from one another by pre-composition with such an automorphism. But then their duals

ϕ1^,…,ϕ4^:JC2→JC1

are obtained from each other by post-composition with an automorphism. In particular they have the same kernel or, equivalently, they correspond to the same quadratic splitting.

The only phenomenon missing in this graph is a vertex corresponding to a product of non-isomorphic elliptic curves. Such vertices always have 9 outgoing edges (possibly loops) to other vertices in 𝓔_p, and 6 outgoing edges to vertices in 𝓙_p. The smallest example where this occurs is the graph 𝓖₁₇, which already has double the number of vertices of 𝓖₁₃.

6 A special class of paths in 𝓖_p

We are interested in the kinds of isogenies that are represented by paths in 𝓖_p: that is, the compositions of isogenies corresponding to adjacent edges.

First, fix a single edge ϕ₁ : A₀ → A₁ in 𝓖_p. By definition, ϕ₁ represents (up to isomorphism) a (2, 2)-isogeny: that is, an isogeny whose kernel is a maximal 2-Weil isotropic subgroup of A₀[2], hence isomorphic to (ℤ/2ℤ)².

Now, consider the set of edges leaving A₁: these correspond to (2, 2)-isogenies that may be composed with ϕ₁. We know that (counting multiplicity) there are fifteen such edges. These edges fall naturally into three classes relative toϕ₁, according to the structure of the kernel of the composed isogeny (which, in each case, is a maximal 4-Weil isotropic subgroup of A₀[4]).

Definition 2

Let ϕ₁ : A₀ → A₁ and ϕ₂ : A₁ → A₂ be edges in 𝓖_p.

We say that ϕ₂ is the (necessarily unique) dual extension of ϕ₁ if ker(ϕ₂ ∘ ϕ₁) ≅ (ℤ/2ℤ)⁴, so ϕ₂ ∘ ϕ₁ is a (2, 2, 2, 2)-isogeny (hence isomorphic to [2]_A₀). In this case, ker ϕ₂ = ϕ₁(A₀[2]).
We say that ϕ₂ is a bad extension of ϕ₁ if ker(ϕ₂ ∘ ϕ₁) ≅ (ℤ/4ℤ) × (ℤ/2ℤ)², so ϕ₂ ∘ ϕ₁ is a (4, 2, 2)-isogeny. In this case (ker ϕ₂) ∩ ϕ₁(A₀[2]) ≅ ℤ/2ℤ, and there are precisely 6 bad extensions of any given ϕ₁.
We say that ϕ₂ is a good extension of ϕ₁ if ker(ϕ₂ ∘ ϕ₁) ≅ (ℤ/4ℤ)², so ϕ₂ ∘ ϕ₁ is a (4, 4)-isogeny. In this case (ker ϕ₂) ∩ ϕ₁(A₀[2]) = 0, and there are precisely 8 good extensions of any ϕ₁.

Remark 1

In [23, Definition 9.2.1], good extensions are called cyclic and bad extensions are called acyclic. We prefer the good/bad terminology here to avoid confusion with the notion of composing isogenies to form eventual cycles in 𝓖_p; the reason why good is good and bad is bad will become clear in Section 7.

We have seen how the three kinds of extensions

A0⟶ϕ1A1⟶ϕ2A2

can be distinguished by how the kernel of ϕ₂ intersects with the image of A₀[2] under ϕ₁. We can make these criteria more explicit in terms of the Richelot isogeny formulas.

6.1 Extensions of isogenies from 𝓙_p to 𝓙_p

Recall the construction of Richelot isogenies ϕ₁ : J_C₀ → J_C₁ from Proposition 1: given the curve C₀ : y² = G₁ ⋅ G₂ ⋅ G₃, we set

H1:=G2′G3−G3′G2,H2:=G3′G1−G1′G3,H3:=G1′G2−G2′G1.

The curve C₁ is defined by C₁ : y² = δ^–1 ⋅ H₁ ⋅ H₂ ⋅ H₃ where δ := det(G₁, G₂, G₃). The kernel of ϕ₁ corresponds to {G₁, G₂, G₃}, and the subgroup ϕ₁(J_C₀[2]) ⊂ J_C₁[2] corresponds to {H₁, H₂, H₃}.

Proposition 3

With the notation above: if

H1=L1⋅L2,H2=L3⋅L4,H3=L5⋅L6,

with theL_iall linear (except possibly for one constantL_iin the case whereH₁H₂H₃is quintic), then the good extensions ofϕ₁are the Richelot isogenies with kernels corresponding to one of the following factorizations ofH₁H₂H₃:

(L1L3,L2L5,L4L6),(L1L3,L2L6,L4L5),(L1L4,L2L5,L3L6),(L1L4,L2L6,L3L5),(L1L5,L2L3,L4L6),(L1L5,L2L4,L3L6),(L1L6,L2L3,L4L5),(L1L6,L2L4,L3L5).

Proof

The quadratic splitting {H₁, H₂, H₃} corresponds to the subgroup of J_C₁[2] which is the kernel of the dual ϕ̂₁, and also the image ϕ₁(J_C₀[2]). The good extensions of ϕ₁ are those whose kernel intersects trivially with ϕ₁(J_C₀[2]); they therefore correspond to the quadratic splittings with no quadratics proportional to any of the H_i. The list of 8 splittings above follows from direct calculation.□

We now discuss the good extensions of isogenies involving products of elliptic curves. This is mainly for the sake of completeness, because in our proposed hash function below, these cases will not be implemented.

6.2 Extensions of isogenies from 𝓙_p to 𝓔_p

Recall from the preliminaries that for a (2, 2)-isogeny ϕ₁ : J_C₀ → E₁ × E₂, the domain can be written as the jacobian of a curve C₀ : y² = G₁G₂G₃, where

Gi=ai,1(x−s1)2+ai,2(x−s2)2

for certain s₁, s₂, a_i,1, a_i,2 ∈ 𝔽_p² for i = 1, 2, 3. The elliptic curves determining the codomain can then be defined by the equations

E1:y2=∏i=13(ai,1x+ai,2),E2:y2=∏i=13(ai,1+ai,2x).

For i = 1, 2, 3 we will write {αi,αi′} for the roots of G_i, P_i = (–a_i,2/a_i,1, 0) for the Weierstraß points of E₁, Q_i = (–a_i,1/a_i,2, 0) for the Weierstraß points of E₂, and 𝓞_E₁ and 𝓞_E₂ for the neutral element of respectively E₁ and E₂.

Proposition 4

With the notation above, the good extensions ofϕ₁are the (2, 2)-isogenies with kernel one of the 6 combinations

{(OE1,OE2),(Pi,OE2),(OE1,Qj),(Pi,Qj)},

fori ≠ jin {1, 2, 3}, or one of

{(OE1,OE2),(P1,Q2),(P2,Q3),(P3,Q1)},{(OE1,OE2),(P1,Q3),(P2,Q1),(P3,Q2)}.

Proof

The proof of the formulas in [23, Proposition 8.3.1] shows that, for {i, j, k} = {1, 2, 3}, the 2-torsion elements [(αi,0)−(αj,0)],[(αi,0)−(αj′,0)],[(αi′,0)−(αj,0)],[(αi′,0)−(αj′,0)] get mapped to (P_k, Q_k) in E₁ × E₂. So the good extensions of ϕ₁ are the isogenies whose kernels intersect

ϕ1(JC0[2])={(OE1,OE2),(P1,Q1),(P2,Q2),(P3,Q3)}

trivially, which are exactly the ones listed.□

Note that in the previous proposition, the 6 good extensions of the first type always have a product of elliptic curves as codomain. The other 2 will typically be to a jacobian of a genus-2 curve, unless E₁ ≅ E₂ and the given kernel is contained in the graph of an isomorphism θ : E₁ → E₂, i.e. the kernel can be written as {(𝓞_E₁, 𝓞_E₂), (P₁, θ(P₁)), (P₂, θ(P₂)), (P₃, θ(P₃))}.

6.3 Extensions of isogenies from 𝓔_p to 𝓙_p

Recall from the preliminaries that every (2, 2)-isogeny ϕ₁ : E₁ × E₂ → J_C₁, with

E1:y2=∏i=13(x−αi)andE2:y2=∏i=13(x−βi),

always has as codomain the jacobian of a genus-2 curve C₁ that can be defined by an equation of the form

y2=−A(α2−α1)(α1−α3)x2+B(β2−β1)(β1−β3) ⋅A(α3−α2)(α2−α1)x2+B(β3−β2)(β2−β1)⋅A(α1−α3)(α3−α2)x2+B(β1−β3)(β3−β2),(1)

up to permutation of the roots β_i, for well-defined nonzero constants A and B that depend on α_i and β_i. We will denote the quadratic factors on the right hand side of Equation 1 on the first, second and third line by H₁, H₂ and H₃ respectively, such that C₁ : y² = –H₁ ⋅ H₂ ⋅ H₃.

Proposition 5

With the notation above: if

H1=L1⋅L2,H2=L3⋅L4,H3=L5⋅L6,

(L1L3,L2L5,L4L6),(L1L3,L2L6,L4L5),(L1L4,L2L5,L3L6),(L1L4,L2L6,L3L5),(L1L5,L2L3,L4L6),(L1L5,L2L4,L3L6),(L1L6,L2L3,L4L5),(L1L6,L2L4,L3L5).

Proof

The proof of Equation 1 in [24] constructs the dual isogeny ϕ̂₁ : J_C₁ → E1′ × E2′, where E1′ ≅ E₁ and E2′ ≅ E₂. More specifically, E1′ and E2′ are given by

E1′:y2=−A(α2−α1)(α1−α3)x+B(β2−β1)(β1−β3)⋅A(α3−α2)(α2−α1)x+B(β3−β2)(β2−β1)⋅A(α1−α3)(α3−α2)x+B(β1−β3)(β3−β2),E2′:y2=−A(α2−α1)(α1−α3)+B(β2−β1)(β1−β3)x⋅A(α3−α2)(α2−α1)+B(β3−β2)(β2−β1)x⋅A(α1−α3)(α3−α2)+B(β1−β3)(β3−β2)x.

Hence the quadratic splitting {H₁, H₂, H₃} corresponds to the subgroup of J_C₁[2] which is the kernel of the dual ϕ̂₁ and we can continue the proof just as in the Richelot isogeny case.□

6.4 Extensions of isogenies from 𝓔_p to 𝓔_p

Proposition 6

Letϕ₁ : E₁ × E₂ → E1′ × E2′be a (2, 2)-isogeny. Denote byOE1,OE2,OE1′,OE2′the identity elements of respectivelyE₁, E₂, E1′andE2′. Fori = 1, 2, 3 we writePi,Qi,Pi′,Qi′for the Weierstraß points of respectivelyE₁, E₂, E1′, E2′. If

ker⁡(ϕ1)={(OE1,OE2),(P1,OE2),(OE1,Q1),(P1,Q1)},

andϕ1|E1(P2)=ϕ1|E1(P3)=P1′,ϕ1|E2(Q2)=ϕ1|E2(Q3)=Q1′,then the good extensions ofϕ₁are the isogenies with kernel one of the 4 combinations

{(OE1′,OE2′),(Pi′,OE2′),(OE1′,Qj′),(Pi′,Qj′)},

wherei ≠ 1 andj ≠ 1, or one of

{(OE1′,OE2′),(P1′,Q2′),(P2′,Q3′),(P3′,Q1′)},{(OE1′,OE2′),(P1′,Q3′),(P2′,Q1′),(P3′,Q2′)},{(OE1′,OE2′),(P1′,Q2′),(P2′,Q1′),(P3′,Q3′)},{(OE1′,OE2′),(P1′,Q3′),(P2′,Q2′),(P3′,Q1′)}.

Proof

The good extensions are determined by the (2, 2)-isogenies that intersect

{(OE1′,OE2′),(P1′,OE2′),(OE1′,Q1′),(P1′,Q1′)}

trivially, so the proof is immediate.□

6.5 Connectedness

Conjecture 3

For every two verticesAand A′ in 𝓙_p ⊂ 𝓖_p, there exists a path

A=A0⟶ϕ0A1⟶ϕ1⋯⟶ϕk−1Ak=A′

ofkedges, for somek ≥ 0, such that all of theA_iare in 𝓙_pand eachϕ_i, i ≠ 0, is a good extension ofϕ_i–1. (The composed isogeny is then a (2^k, 2^k)-isogeny.)

Conjecture 3 is our strongest conjecture. It differs from Conjecture 2 in that at each step in a path, the number of choices is reduced from all 15 isogenies to the 8 good isogenies. Conjecture 3 is easy to verify for small p using the formulas for Richelot isogenies and the exact formula from Theorem 2. We verified this part of the conjecture for p ≤ 1013 using Magma, but from then onward the computations become slow since we work with graphs of several hundred thousands of vertices already. Nonetheless, this is a first indication that Conjecture 3 might hold.

7 Hash functions from Richelot isogenies

Turning the graph 𝓖_p into a hash function happens analogously to the elliptic curve case with some small caveats. We will first describe the function in general, thereby repairing Takashima’s proposal from [14], and then explain the underlying reasoning in detail afterwards. When reading this section, it can be helpful to keep the Magma code in Appendix B at hand.

We start by choosing a large prime p (as a function of some security parameter λ) such that p ≡ 5 mod 6. We start at the vertex corresponding to the jacobian of the genus-2 curve C₀ defined over 𝔽_p², given by the equation y² = x(x – 1)(x + 1)(x – 2)(x – 1/2). The hash function starts by taking a relatively small deterministic walk away from C₀, which can be achieved through multiplication of the input by a relatively small power of 8, or equivalently, padding its bit expansion with a bunch of triple zeroes. This is done to distantiate us from the vertex corresponding to the jacobian of our starting curve, since it is known to have many automorphisms, resulting in small cycles in our graph which lead to collisions; see Section 7.3 for a more elaborate discussion. In our pseudocode from Algorithm 1, as well as in our proof-of-concept implementation in Appendix B, we padded with 30 zeroes for the sake of exposition, but clearly this choice is somewhat random.

The hashing will happen 3 bits at a time, with each three bits determining a choice of one of the eight good extensions relative to the previous step. So for our starting vertex we will need to make an initial choice as if we performed a step prior to starting. The quadratic splitting we will choose for C₀ is

x2−1,x2−2x,x−12.

The 8 quadratic splittings that we will consider are those that have no quadratic factor in common with the one that was obtained from the previous step. These splittings are then ordered according to some natural order of the roots. In practice this means we just need to fix a quadratic equation that determines the field extension 𝔽_p ⊂ 𝔽_p². Next we process 3 bits (one base-8 digit) of our input, using it to choose an edge according to the ordering of the quadratic splittings. If the chosen edge leads to a vertex corresponding to the product of elliptic curves, the function stops and outputs an error. If the chosen edge leads to a vertex corresponding to a jacobian of a genus-2 curve, then we have 8 good extensions again, this time relative to the previous step. We now repeat the process for the remainder of the message, where each block of 3 bits corresponds to one choice of edge that takes us to a new vertex in the graph. Once the entire message has been processed we output the absolute Igusa invariants of the genus-2 curve corresponding to the final vertex.

Remark 2

We chose to abort the hashing as soon as a product of elliptic curves is encountered in order not to get lost in technical details that apply with probability O(1/p) and which detract us from the main construction. Note that 1/p is only slightly larger than the probability of breaking the hash function using Pollard-ρ. Nevertheless this is a nuisance, but as discussed in Section 7.2 below, there are several tracks for getting around this.

7.1 Avoiding trivial cycles

A hash function should be collision-resistant, so we need to at least avoid trivial cycles in our graph. In the elliptic curve case, this is simply done by disallowing the edge associated to the dual isogeny from where we just came. Similarly, we must avoid using dual isogenies when walking in 𝓖_p, to avoid extremely easy cycles:

But there is an additional subtlety in genus-2, as noted in [16]. If we compose a (2, 2)-isogeny A₀ → A₁ with a bad extension A₁ → A₂, then we get a (4, 2, 2)-isogeny; but then, for every (4, 2, 2)-isogeny A₀ → A₂ there are 3 distinct ways to split it up into the concatenation of two (2, 2)-isogenies as in the following diagram.

Luckily all these cases are easy to distinguish, as we saw in Section 6.

The eight (2, 2)-isogenies corresponding to good extensions do not result in trivial cycles. In practice this means that, after a choice for our initial (2, 2)-isogeny corresponding to one of 15 possible edges, we are left with only 8 options at every next step along the way. This implies that we should not only keep track of our current vertex by some form of equation, but also by some order of the roots of that equation (or more precisely, by a quadratic splitting).

This observation means we can hash up to 3 bits at every step in our hash function and that a hash will always correspond to computing a (2^k, 2^k)-isogeny.

7.2 Products of elliptic curves

For our hash function, the vertices corresponding to products of elliptic curves are a nuisance for the following reasons.

There is no clear candidate invariant that is similar to the ordered triple in case of the genus-2 absolute Igusa invariants. So ideally, we would prefer not to end the hash function in a vertex like this.
The formulas involving products of elliptic curves are a lot more involved than the Richelot isogenies, and their simplicity was one of the main reasons for the restriction to (2, 2)-isogenies.

In the way we presented our hash function, we simply use Richelot isogenies only and let our hash function break down whenever we pass a vertex corresponding to a product of elliptic curves. Given that this only occurs with probability O(1/p), this only happens with negligible probability for cryptographic values of p.

An alternative way of dealing with this is as follows. Assume we try to process a step in our hash function that corresponds to a (2, 2)-isogeny between a jacobian of a genus-2 curve and a product of elliptic curves. Then (in the same step) we immediately choose one edge corresponding to a (2, 2)-isogeny from the product of elliptic curves back to a jacobian of a genus-2 curve. This has to be done in a deterministic way and we should avoid the dual and bad extensions since they would result in small cycles in 𝓖_p. Unfortunately Proposition 4 tells us that we can only find 2 good extensions that possibly have the jacobian of a genus-2 curve as codomain. In the case of E × E, with E having j-invariant 0 or 1728, these kernels may both be to a product of elliptic curves again. Solving this issue can be done by either choosing p ≡ 1 mod 12 (such that elliptic curves with j-invariant 0 and 1728 never occur), or by (deterministically) using the results from Proposition 6 to add an extra step in this specific case.

A third option is to keep working with all the formulas for products of elliptic curves as well. This means we should find a way to merge the absolute Igusa invariants and (unordered) pairs of j-invariants into one output type, which is only an issue when ending in a product of elliptic curves.

7.3 Initial choices

As mentioned earlier, there is no known way to generate the equation of a random superspecial genus-2 curve that is defined over 𝔽_p². Some specific examples such as y² = x⁵ – x with p ≡ 5 or 7 mod 8 are listed in [21]. Unfortunately, the examples that are easiest to represent all have some (2, 2)-isogenies with codomain the product of 2 supersingular elliptic curves. This seems to imply that we cannot avoid having to deal with vertices corresponding to products of elliptic curves.

However, another initial choice to make is whether we start by picking one of 15 possible edges or already restrict ourselves to 8, since this is needed for every subsequent step anyway. We will take only 8 which means we need to choose an initial quadratic splitting instead of just an initial curve.^[10] Fortunately this solves our problem of finding an appropriate starting curve in a way. Consider C₀, the genus-2 curve given by y² = x(x – 1)(x + 1)(x – 2)(x – 1/2) defined over 𝔽_p with p > 5. Then C₀ is superspecial if and only if p ≡ 5 mod 6 [21]. Now the vertex corresponding to the jacobian of C₀ has 4 neighbours that are products of supersingular elliptic curves. However, if we take the initial quadratic splitting x2−1,x2−2x,x−12, then the 8 allowed outgoing (2, 2)-isogenies all have the jacobian of a superspecial genus-2 curve as codomain. The only restriction this puts on our hash function is that we need to work with a prime p such that p ≡ 5 mod 6, but this is easy to enforce.

An issue that arises with this curve C₀ however, is that its jacobian has many automorphisms and hence has multiple outgoing isogenies with the same codomain.^[11] More precisely, starting from the given splitting of C₀, the 8 good extensions only have 3 distinct codomains up to isomorphism, one of which even occurs with multiplicity 5, which leads to trivial cycles in our graph. An easy way to fix this is to simply take a (relatively short) deterministic path to another curve C0′ prior to starting to hash our input, or equivalently, pad the input with some zeroes from the right. For other possible starting curves, this padding can be used to additionally avoid products of elliptic curves. Of course, once such a path to C0′ has been computed, this curve can be hard-coded as the new starting curve, so that no padding is needed when hashing subsequent inputs.

7.4 Security

The security of our hash function depends on the hardness of finding isogenies between certain p.p. abelian surfaces. A lot of the choices discussed in the previous subsections make slight alterations to the underlying mathematical hard problems. We will formulate them in a general form to keep them succinct since we do not think any of the changes would impact the hardness of the problems. In essence they are the genus-1 counterparts of the hard problems from the elliptic curve hash function in [3].

Problem 1

Given two superspecial genus-2 curvesC₁andC₂defined over 𝔽_p², find a (2^k, 2^k)-isogeny between their jacobians.

Problem 2

Given any superspecial genus-2 curveC₁defined over 𝔽_p², find

a curveC₂and a (2^k, 2^k)-isogenyJ_C₁ → J_C₂,
a curveC2′and a (2^k′, 2^k′)-isogenyJC1→JC2′,

such thatC₂andC2′are𝔽_p-isomorphic. Here, it is allowed thatk = k′ but in this case the kernels should be different.

They are related to our hash function in the following way.

Preimage resistance: Finding a preimage in our hash function implies a solution to Problem 1 with C₁ = C0′ as follows. Let C₂ be a representative of the isomorphism class of the output of the hash function. A preimage for that output corresponds to a path of length k in our graph, or equivalently, a (2^k, 2^k)-isogeny between the jacobians of C0′ and C₂.
Collision resistance: Finding a collision in our hash function implies a solution to Problem 1 with C₁ = C0′ as follows. A collision in our hash function corresponds to two distinct paths in our graph with the same ending vertex. Equivalently this amounts to a pair of isogenies
ϕ:JC0′→JC2andϕ′:JC0′→JC2′
of type (2^k, 2^k) resp (2^k′, 2^k′) such that C₂ ≅ C2′, and with different kernels.

To our knowledge, there are no known ways to find isogenies of the said kinds between jacobians of (superspecial) genus-2 curves which perform better than the generic attacks.^[12] In the classical case the best known such attack is Pollard ρ, which can find a collision or preimage in time complexity the square root of the number of possibilities times the amount of time that one step computation takes. In our case we have a graph of size O(p³) and one step is simply a polynomial computation with some constants, which we can perform in time complexity log p. Hence a Pollard ρ attack could find a solution to Problem 1 or Problem 2 in time Õ(p^3/2).

With quantum computers in mind, the best known attack is a claw-finding algorithm to find a collision or preimage in the graph 𝓖_p. Grover search would yield a square-root attack in O(p^3/2). The algorithm of [30] would yield an attack with time complexity the third root of the size of the graph we work over; this would imply a solution to Problem 1 or Problem 2 in time Õ(p). However, Jaques and Schanck have shown that the data structures required by this algorithm adds significantly to its complexity, to the point where it does not in fact beat square-root algorithms (which have much lower quantum memory requirements) [31]; this suggests that Õ(p^3/2) is (currently) the correct complexity estimate for our problems.

8 Implementation and timings

We have implemented our hash function in Magma, taking into account all the choices made from the previous section. The pseudocode can be found below; the Magma code can be found in Appendix B. The subroutine Factorization is defined as follows: when the input is a quadratic polynomial, Factorization returns its two linear factors (which, in this application, are guaranteed to exist over the ground field). When the input is a linear polynomial, it returns that polynomial and 1.

Algorithm 1

Hashing a message m using Richelot isogenies, with λ bits of security on a classical computer

Remark 3

We do not keep track of the leading coefficient of the polynomial determining the genus-2 curve, for the reason that a twist of a curve does not change its absolute Igusa invariants anyway. Similarly we never need to know the exact value of δ = det(G₁, G₂, G₃). We are only interested in whether or not δ equals 0, and with the formulas from the preliminaries, this condition can be easily verified to be equivalent to all H_i being a multiple of one another. Hence it suffices to check if rank(H₁, H₂) < 2 instead, i.e. if H₁ is a nonzero multiple of H₂.

The deterministic edge ordering depends on two things. First, there is the (arbitrary) way we hard-coded the set S of pairs of indices of the allowed quadratic splittings. Secondly, the subroutine Factorization automatically orders the roots of the polynomial in some way. In this statement we silently assumed that this happens deterministically by the used software, which is the case for Magma.

Note that we do not claim this code is optimized in any way. For example we simply pick the smallest prime p possible that satisfies our needs, whereas better choices may speed up the arithmetic in the field we work over. Additionally, we did not implement any proper padding schemes. The main goal of the implementation is to see what the order of magnitude is for the speed of the hash function and we leave possible optimizations for future work.

As a final remark we want to point out that the output of the hash function is dependent on the security level required. The output is a triple in a quadratic field extension of a finite field of characteristic roughly 2λ/3 bits in case of classical security. This means our output has bit length 4λ, even though the number of possible hash values is only 2λ bits.^[13] It may be possible to compress this but we leave this discussion for future research, too.

We implemented our genus-2 CGL hash function algorithm in Magma (version 2.32-2) and ran it on an Intel(R) Xeon(R) CPU E5-2630 v2 @ 2.60GHz with 128 GB memory. For every prime size we averaged the speed over 1000 random inputs of 100 bits. A summary of our timed results can be found in the following table.

	p ≈ 2⁸⁶	p ≈ 2¹²⁸	p ≈ 2¹⁷¹	p ≈ 2²⁵⁶
bits of classical and quantum security	128	192	256	384
time per bit processed	5.01ms	6.52ms	9.33ms	15.70ms
output bits	516	768	1026	1536

9 Comparison to Charles–Goren–Lauter, and concluding remarks

The computational cost of each iteration of the main loop in Algorithm 1 is dominated by the three square roots required to factor the H_i in Lines 9, 10, and 13. At first glance, this would appear to give no advantage over the Charles–Goren–Lauter hash function: we compute essentially one expensive square root per bit of hash input. However, there are two important remarks to be made here:

The entropy in the Charles–Goren–Lauter hash function is linear in p, whereas in our case it is cubic in p. This implies that for the same security parameters we can work over much smaller finite fields, so the square roots are substantially easier to compute.
The square roots, along with the H_i, can be computed completely independently. The algorithm therefore lends itself well to three-way parallelization, as well as to vectorization techniques on suitable computer architectures.

From this point of view, our proposal is a conjecturally secure version of an ill-constructed hash function that we could call 3CGL, where the message m is split up in 3 chunks m₁, m₂, m₃. Each of these m_i is then hashed using Charles, Goren and Lauter’s hash function into a supersingular j-invariant j_i, resulting in a combined hash value (j₁, j₂, j₃) ∈ 𝔽_p². Note that, here too, the number of possible outcomes is O(p³). However, the security of 3CGL clearly reduces to the problem of finding collisions or pre-images for one of the chunks, which Pollard ρ can do in time Õ(p^1/2), compared to Õ(p^3/2) in our case.

While this convinces us that genus-2 hash functions deserve their place in the arena of isogeny-based cryptography, more research is needed to have a better assessment of their security and performance. One potentially interesting track is to adapt Doliskani, Pereira and Barreto’s recent speed-up to Charles, Goren and Lauter’s hash function from [32], which has the appearance of an orthogonal improvement that may also apply to genus 2. From a security point of view, it would be interesting to understand to what extent the discussion from [33, 34], transferring the elliptic curve analogs of Problems 1 and 2 to questions about orders in non-commutative algebras and raising some concerns about using special starting curves, carries over to genus 2.

Acknowledgement

We are grateful to Yan Bo Ti for sharing with us a preliminary copy of [16], to Frederik Vercauteren for helpful feedback, and to Ben Moonen for sharing the argument in Appendix C. We would also like to thank the anonymous reviewers of NutMiC 2019. This work was supported in part by the Research Council KU Leuven grants C14/18/067 and STG/17/019 and by CyberSecurity Research Flanders with reference number VR20192203.

References

[1] J.-M. Couveignes, “Hard homogeneous spaces.” Cryptology ePrint Archive, Report 2006/291, 2006.Search in Google Scholar

[2] A. Stolbunov, “Public-key encryption based on cycles of isogenous elliptic curves,” Master’s thesis, Saint-Petersburg State Polytechnical University, 2004. In Russian.Search in Google Scholar

[3] D. X. Charles, K. E. Lauter, and E. Z. Goren, “Cryptographic hash functions from expander graphs,” Journal of Cryptology, vol. 22, no. 1, pp. 93–113, 2009.10.1007/s00145-007-9002-xSearch in Google Scholar

[4] D. Jao and L. De Feo, “Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies,” in International Workshop on Post-Quantum Cryptography, pp. 19–34, Springer, 2011.10.1007/978-3-642-25405-5_2Search in Google Scholar

[5] L. De Feo, D. Jao, and J. Plût, “Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies,” Journal of Mathematical Cryptology, vol. 8, no. 3, pp. 209–247, 2014.10.1515/jmc-2012-0015Search in Google Scholar

[6] L. De Feo, J. Kieffer, and B. Smith, “Towards practical key exchange from ordinary isogeny graphs,” in Advances in Cryptology – ASIACRYPT 2018, Part III (T. Peyrin and S. Galbraith, eds.), pp. 365–394, Springer International Publishing, 2018.10.1007/978-3-030-03332-3_14Search in Google Scholar

[7] W. Castryck, T. Lange, C. Martindale, L. Panny, and J. Renes, “CSIDH: An efficient post-quantum commutative group action,” in Advances in Cryptology – ASIACRYPT 2018, Part III (T. Peyrin and S. Galbraith, eds.), pp. 395–427, Springer International Publishing, 2018.10.1007/978-3-030-03332-3_15Search in Google Scholar

[8] L. De Feo and S. D. Galbraith, “SeaSign: Compact isogeny signatures from class group actions,” in Advances in Cryptology – EUROCRYPT 2019 (Y. Ishai and V. Rijmen, eds.), pp. 759–789, Springer International Publishing, 2019.10.1007/978-3-030-17659-4_26Search in Google Scholar

[9] T. Decru, L. Panny, and F. Vercauteren, “Faster SeaSign signatures through improved rejection sampling,” in Post-Quantum Cryptography (J. Ding and R. Steinwandt, eds.), pp. 271–285, Springer International Publishing, 2019.10.1007/978-3-030-25510-7_15Search in Google Scholar

[10] W. Beullens, T. Kleinjung, and F. Vercauteren, “CSI-FiSh: Efficient isogeny based signatures through class group computations,” in Advances in Cryptology – ASIACRYPT 2019 (S. D. Galbraith and S. Moriai, eds.), (Cham), pp. 227–247, Springer International Publishing, 2019.10.1007/978-3-030-34578-5_9Search in Google Scholar

[11] L. De Feo, S. Masson, C. Petit, and A. Sanso, “Verifiable delay functions from supersingular isogenies and pairings,” in Advances in Cryptology – ASIACRYPT 2019 (S. D. Galbraith and S. Moriai, eds.), (Cham), pp. 248–277, Springer International Publishing, 2019.10.1007/978-3-030-34578-5_10Search in Google Scholar

[12] R. Azarderakhsh, B. Koziel, M. Campagna, B. LaMacchia, C. Costello, P. Longa, L. De Feo, M. Naehrig, B. Hess, J. Renes, A. Jalali, V. Soukharev, D. Jao, and D. Urbanik, “Supersingular isogeny key encapsulation.” http://sike.org, 2017.Search in Google Scholar

[13] D. X. Charles, E. Z. Goren, and K. E. Lauter, “Families of Ramanujan graphs and quaternion algebras,” Groups and symmetries: from Neolithic Scots to John McKay, vol. 47, pp. 53–63, 2009.10.1090/crmp/047/05Search in Google Scholar

[14] K. Takashima, “Efficient algorithms for isogeny sequences and their cryptographic applications,” in Mathematical Modelling for Next-Generation Cryptography. Mathematics for Industry (T. T. et al., ed.), vol. 29, (Singapore), pp. 97–114, Springer, 2018.10.1007/978-981-10-5065-7_6Search in Google Scholar

[15] K. Takashima and R. Yoshida, “An algorithm for computing a sequence of Richelot isogenies,” Bull. Korean Math. Soc, vol. 46, no. 4, pp. 789–802, 2009.10.4134/BKMS.2009.46.4.789Search in Google Scholar

[16] E. V. Flynn and Y. B. Ti, “Genus two isogeny cryptography,” in Post-Quantum Cryptography (J. Ding and R. Steinwandt, eds.), pp. 286–306, Springer International Publishing, 2019.10.1007/978-3-030-25510-7_16Search in Google Scholar

[17] K.-Z. Li and F. Oort, Moduli of supersingular abelian varieties, vol. 1680 of Lecture Notes in Mathematics. Springer-Verlag, Berlin, 1998.Search in Google Scholar

[18] B. W. Brock, Superspecial curves of genera two and three. PhD thesis, Princeton University, 1994.Search in Google Scholar

[19] E. W. Howe, “Constructing distinct curves with isomorphic Jacobians,” J. Number Theory, vol. 56, pp. 381–390, 1996.10.1006/jnth.1996.0026Search in Google Scholar

[20] T. Ibukiyama and T. Katsura, “On the field of definition of superspecial polarized abelian varieties and type numbers,” Compositio Mathematica, vol. 91, no. 1, pp. 37–46, 1994.Search in Google Scholar

[21] T. Ibukiyama, T. Katsura, and F. Oort, “Supersingular curves of genus two and class numbers,” Compositio Mathematica, vol. 57, no. 2, pp. 127–152, 1986.Search in Google Scholar

[22] G. Cardona and J. Quer, “Field of moduli and field of definition for curves of genus 2,” in Computational aspects of algebraic curves, pp. 71–83, World Scientific, 2005.10.1142/9789812701640_0006Search in Google Scholar

[23] B. Smith, Explicit endomorphisms and correspondences. PhD thesis, University of Sydney, 2005.Search in Google Scholar

[24] E. W. Howe, F. Leprévost, and B. Poonen, “Large torsion subgroups of split jacobians of curves of genus two or three,” Forum Mathematicum, vol. 12, no. 3, pp. 315 – 364, 2000.10.1515/form.2000.008Search in Google Scholar

[25] E. Kani, “The number of curves of genus two with elliptic differentials,” Journal für die reine und angewandte Mathematik, vol. 485, pp. 93–122, 1997.10.1515/crll.1997.485.93Search in Google Scholar

[26] N. Bruin and K. Doerksen, “The arithmetic of genus two curves with (4, 4)-split Jacobians,” Canadian Journal of Mathematics, vol. 63, no. 5, pp. 992–1024, 2011.10.4153/CJM-2011-039-3Search in Google Scholar

[27] J. H. Silverman, The arithmetic of elliptic curves, vol. 106. Springer Science & Business Media, 2009.10.1007/978-0-387-09494-6Search in Google Scholar

[28] T. Katsura and K. Takashima, “Counting superspecial Richelot isogenies and its cryptographic application.” Cornell University arXiv, Report 2003.00633, 2020.Search in Google Scholar

[29] C. Costello and B. Smith, “The supersingular isogeny problem in genus 2 and beyond,” in PQCrypto 2020 (J. Ding and J.-P. Tillich, eds.), Springer International Publishing, 2020.10.1007/978-3-030-44223-1_9Search in Google Scholar

[30] S. Tani, “Claw finding algorithms using quantum walk,” Theoretical Computer Science, vol. 410, no. 50, pp. 5285–5297, 2009.10.1007/978-3-540-74456-6_48Search in Google Scholar

[31] S. Jaques and J. M. Schanck, “Quantum cryptanalysis in the RAM model: Claw-finding attacks on SIKE,” in Advances in Cryptology – CRYPTO 2019 (A. Boldyreva and D. Micciancio, eds.), (Cham), pp. 32–61, Springer International Publishing, 2019.10.1007/978-3-030-26948-7_2Search in Google Scholar

[32] J. Doliskani, G. C. Pereira, and P. S. Barreto, “Faster cryptographic hash function from supersingular isogeny graphs.” Cryptology ePrint Archive, Report 2017/1202, 2017.Search in Google Scholar

[33] D. Kohel, K. Lauter, C. Petit, and J.-P. Tignol, “On the quaternion ℓ-isogeny path problem,” LMS J. Comput. Math., vol. 17, no. suppl. A, pp. 418–432, 2014.10.1112/S1461157014000151Search in Google Scholar

[34] K. Eisenträger, S. Hallgren, K. Lauter, T. Morrison, and C. Petit, “Supersingular isogeny graphs and endomorphism rings: reductions and solutions,” in Advances in cryptology—EUROCRYPT 2018. Part III (J. B. Nielsen and V. Rijmen, eds.), pp. 329–368, Springer International Publishing, 2018.10.1007/978-3-319-78372-7_11Search in Google Scholar

[35] B. W. Jordan and Y. Zaytman, “Isogeny graphs of superspecial abelian varieties and generalized Brandt matrices,” arXiv preprint arXiv:2005.09031, 2020.Search in Google Scholar

Proof of Theorem 1

We now settle Part (1) of Theorem 1, as an immediate consequence to:

Theorem 2

LetCbe a genus-2 curve over a fieldKof characteristic different from 2 and 5. Then the number of outgoing (2, 2)-isogenies with codomain a product of elliptic curves is at most 6.

Proof

We can assume that K is algebraically closed, so that C admits a model of the form y² = ∏i=16(x – α_i) for roots α_i ∈ K satisfying

∏1≤i<j≤6(αi−αj)=1.

Due to the formulas for Richelot isogenies, the number of (2, 2)-isogenies with codomain a product of elliptic curves is determined by how many among the 15 different equations of the form

det1ασ(1)+ασ(2)ασ(1)ασ(2)1ασ(3)+ασ(4)ασ(3)ασ(4)1ασ(5)+ασ(6)ασ(5)ασ(6)=0,(2)

where σ is a permutation of {1, 2, 3, 4, 5, 6}, can be simultaneously satisfied.

To show that no more than 6 can occur we work with Gröbner bases. The permutations of Equation (2) determine, up to sign, 15 different polynomials f₁, …, f₁₅ in 𝔽[α₁, …, α₆], where 𝔽 is the prime subfield of K. We pick a subset of 7 of these equations and form the ideal I ⊂ 𝔽[α₁, …, α₆] generated by them, together with the polynomial ρ = ∏_i,j (α_i – α_j) – 1. Now we determine a Gröbner basis G for I. If G = {1} then the variety defined by I is empty and hence those 7 equations we chose can not be satisfied simultaneously, under the assumption that all α_i are different. If we repeat this process for all possible subsets of 7 equations and find G = {1} in all cases, then we are done. There are 157 = 6435 possible ways of selecting such a subset, but this is not a problem for Magma.^[14]

When running the algorithm we choose 𝔽 = ℚ, for which we indeed find G = {1} in each of the cases. This only shows that there are no solutions if K is of characteristic 0, while we typically want to work over a fields of prime characteristic. If the Gröbner basis G equals {1} however, we can write 1 as linear combination of that particular choice of polynomials f_i, say for example 1 = h₁f₁ + … + h₇f₇ + h₈ρ. If we then multiply both sides of the equations by the lowest common multiple m of the denominators of the coefficients of the h_i, then we obtain an equation with coefficients in ℤ[α₁, …, α₆]. So as long as the characteristic p of K does not divide m, we still find a contradictory system. Hence it suffices to keep track of the primes that divide m, which are 2, 3, 5, 7 and 11. It then suffices to rerun the Gröbner basis computations for 𝔽 = 𝔽_p with p = 3, 7, 11, leading to the desired conclusion.□

Figure 2 lists the Magma code that was used. The specific cases p ∈ {3, 7, 11} can be checked by replacing Rationals() by GF(p) for any one value of p, and by removing the innermost loop that starts with for coord in c do completely.

Figure 2

Magma code completing the proof of Theorem 1.

Theorem 2 cannot be proved in this way for p = 2, because equations for hyperelliptic curves are more complicated in characteristic 2. Nevertheless, Theorem 1 is vacuously true for superspecial genus-2 Jacobians when p = 2, because there are no superspecial genus-2 jacobians over fields of characteristic 2.

The following example shows why Theorem 1 is not true for p = 5, and also provides an example to show that the bound of 6 is sharp.

Example 1

Let C be the genus-2 curve given by y² = x⁵ – x over 𝔽_p (which is superspecial when p ≡ 5 mod 8), and let i ∈ 𝔽_p² be a square root of –1. Of the fifteen quadrating splittings of x⁵ – x, the six splittings

{x,x2−(i+1)x+i,x2+(i+1)x+i},{x,x2+(i−1)x−i,x2−(i−1)x−i}{x−1,x2+1,x2+x},{x+1,x2+1,x2−x},{x−i,x2−1,x2+ix},{x+i,x2−1,x2−ix}

all have δ = 0, so they are always singular. The quadratic splitting {x, x² + 1, x² – 1} has δ = ±2 (the sign of δ may change with the order of the factors), and so is never singular. There are eight splittings remaining. The four splittings

{x−1,x2−ix,x2+(i+1)x+i},{x−i,x2+x,x2+(i−1)x−i},{x+1,x2+ix,x2−(i+1)x+i},{x+i,x2−x,x2−(i−1)x−i}

all have δ = ±(3i + 1), while their “conjugates”, the four splittings

{x−1,x2+ix,x2−(i−1)x−i},{x+i,x2+x,x2−(i+1)x+i},{x+1,x2−ix,x2+(i−1)x−i},{x−i,x2−x,x2+(i+1)x+i}

have δ = ±(3i – 1).

Now, when p = 5, we may take i = 2 or i = 3. If i = 2 then 3i – 1 = 0, so the last set of four become singular (and the penultimate set of four have δ = ±2), while if i = 3 then 3i + 1 = 0, so the penultimate set of four become singular (and then the last set of four have δ = ±2). In either case, for p = 5 we have exactly four additional singular splittings, making ten in total; and we cannot have i = 2 or 3 in any other characteristic, so if p ≠ 5 then there are only six singular splittings.

The hash function

Figure 3 lists Magma code implementing our hash function, with the specific parameter choices described in this article.

Figure 3

Magma code for the genus-2 superspecial hash function.

Invariance of the rank of the Hasse–Witt matrix

Fix g ≥ 2 and let V be the set of isomorphism classes of supersingular g-dimensional p.p. abelian varieties over 𝔽_p. This appendix discusses an obstruction to the connectedness of any graph whose vertex set is V and whose edges represent separable isogenies.

Proposition 7

LetA, Bbeg-dimensional abelian varieties over𝔽_pand assume that there exists a separable isogenyφ : A → B. Then the rank ofpth power Frobenius acting onH¹(A, 𝓞_A) equals that ofpth power Frobenius acting onH¹(B, 𝓞_B).

As a consequence, Pizer’s result [?] that the ℓ-isogeny graph of all supersingular elliptic curves over 𝔽_p is connected (for any prime number ℓ ≠ p) cannot be transferred to supersingular p.p. abelian varieties of higher dimension. Of course, in view of Conjecture 1 we hope that it does generalize when restricting to the superspecial subgraph. The proof of Proposition 7 was explained to us by Ben Moonen; we refer to the book by Li and Oort [17] for more background on the terminology it invokes.

Proof

Write σ : 𝔽_p → 𝔽_p for pth power Frobenius. Denote by M=HdR1(A/F¯p) the (contravariant) Dieudonné module of the group scheme A[p], which comes equipped with a σ-linear Frobenius operator 𝓕 : M → M for which we have

M/ker⁡(F)≅H1(A,OA)

as vector spaces equipped with Frobenius. Thus the rank of Frobenius acting on H¹(A, 𝓞_A) is given by

dimF¯p(im(F)+ker⁡(F))ker⁡(F)=dimF¯pim(F)im(F)∩ker⁡(F)=g−dimF¯pim(F)∩ker⁡(F)

where g = dim(A) = dim_{𝔽_p}(im(𝓕)). The quantity dim_{𝔽_p} (im(𝓕) ∩ ker(𝓕)) is in fact known as the a-number of A.

Now the group scheme A[p] admits the decomposition

A[p]=A[p]loc,e´t⊕A[p]loc,loc⊕A[p]e´t,loc

which corresponds to a decomposition of Dieudonné modules

M=Mloc,e´t⊕Mloc,loc⊕Me´t,loc

and it holds that im(𝓕) ∩ ker(𝓕) is zero on the summands M_loc,ét and M_{ét, loc}, where 𝓕 is zero resp. bijective. But if φ : A → B is a separable isogeny then ker(φ) is an étale group scheme, yielding an isomorphism

A[p]loc,loc≅B[p]loc,loc.

It follows that the a-numbers of A and B are the same, and as a consequence that the rank of Frobenius on H¹(A, 𝓞_A) is equal to the rank of Frobenius on H¹(B, 𝓞_B), as wanted.□

Received: 2019-07-05

Accepted: 2020-03-16

Published Online: 2020-08-07

This work is licensed under the Creative Commons Attribution 4.0 International License.

Hash functions from superspecial genus-2 curves using Richelot isogenies

Abstract

1 Introduction

Why generalize?

2 Supersingular versus superspecial

3 Further preliminaries

3.1 Hyperelliptic curves of genus 2

3.2 Richelot isogenies

Definition 1

Proposition 1

3.3 (2, 2)-isogenies from products of elliptic curves

4 The superspecial (2, 2)-isogeny graph

Proposition 2

Proof

Theorem 1

Proof

Conjecture 1

Conjecture 2

5 The graph 𝓖13

6 A special class of paths in 𝓖p

Definition 2

Remark 1

6.1 Extensions of isogenies from 𝓙p to 𝓙p

Proposition 3

Proof

6.2 Extensions of isogenies from 𝓙p to 𝓔p

Proposition 4

Proof

6.3 Extensions of isogenies from 𝓔p to 𝓙p

Proposition 5

Proof

6.4 Extensions of isogenies from 𝓔p to 𝓔p

Proposition 6

Proof

6.5 Connectedness

Conjecture 3

7 Hash functions from Richelot isogenies

Remark 2

7.1 Avoiding trivial cycles

7.2 Products of elliptic curves

7.3 Initial choices

7.4 Security

Problem 1

Problem 2

8 Implementation and timings

Algorithm 1

Remark 3

9 Comparison to Charles–Goren–Lauter, and concluding remarks

Acknowledgement

References

Proof of Theorem 1

Theorem 2

Proof

Example 1

The hash function

Invariance of the rank of the Hasse–Witt matrix

Proposition 7

Proof

Journal and Issue

Articles in the same Issue

5 The graph 𝓖₁₃

6 A special class of paths in 𝓖_p

6.1 Extensions of isogenies from 𝓙_p to 𝓙_p

6.2 Extensions of isogenies from 𝓙_p to 𝓔_p

6.3 Extensions of isogenies from 𝓔_p to 𝓙_p

6.4 Extensions of isogenies from 𝓔_p to 𝓔_p