-
Failing to hash into supersingular isogeny graphs
Authors:
Jeremy Booher,
Ross Bowden,
Javad Doliskani,
Tako Boris Fouotsa,
Steven D. Galbraith,
Sabrina Kunzweiler,
Simon-Philipp Merz,
Christophe Petit,
Benjamin Smith,
Katherine E. Stange,
Yan Bo Ti,
Christelle Vincent,
José Felipe Voloch,
Charlotte Weitkämper,
Lukas Zobernig
Abstract:
An important open problem in supersingular isogeny-based cryptography is to produce, without a trusted authority, concrete examples of "hard supersingular curves" that is, equations for supersingular curves for which computing the endomorphism ring is as difficult as it is for random supersingular curves. A related open problem is to produce a hash function to the vertices of the supersingular…
▽ More
An important open problem in supersingular isogeny-based cryptography is to produce, without a trusted authority, concrete examples of "hard supersingular curves" that is, equations for supersingular curves for which computing the endomorphism ring is as difficult as it is for random supersingular curves. A related open problem is to produce a hash function to the vertices of the supersingular $\ell$-isogeny graph which does not reveal the endomorphism ring, or a path to a curve of known endomorphism ring. Such a hash function would open up interesting cryptographic applications. In this paper, we document a number of (thus far) failed attempts to solve this problem, in the hope that we may spur further research, and shed light on the challenges and obstacles to this endeavour. The mathematical approaches contained in this article include: (i) iterative root-finding for the supersingular polynomial; (ii) gcd's of specialized modular polynomials; (iii) using division polynomials to create small systems of equations; (iv) taking random walks in the isogeny graph of abelian surfaces; and (v) using quantum random walks.
△ Less
Submitted 8 May, 2024; v1 submitted 29 April, 2022;
originally announced May 2022.
-
Stronger bounds on the cost of computing Groebner bases for HFE systems
Authors:
Elisa Gorla,
Daniela Mueller,
Christophe Petit
Abstract:
We give upper bounds for the solving degree and the last fall degree of the polynomial system associated to the HFE (Hidden Field Equations) cryptosystem. Our bounds improve the known bounds for this type of systems. We also present new results on the connection between the solving degree and the last fall degree and prove that, in some cases, the solving degree is independent of coordinate change…
▽ More
We give upper bounds for the solving degree and the last fall degree of the polynomial system associated to the HFE (Hidden Field Equations) cryptosystem. Our bounds improve the known bounds for this type of systems. We also present new results on the connection between the solving degree and the last fall degree and prove that, in some cases, the solving degree is independent of coordinate changes.
△ Less
Submitted 2 November, 2020;
originally announced November 2020.
-
Improved torsion point attacks on SIDH variants
Authors:
Victoria de Quehen,
Péter Kutas,
Chris Leonardi,
Chloe Martindale,
Lorenz Panny,
Christophe Petit,
Katherine E. Stange
Abstract:
SIDH is a post-quantum key exchange algorithm based on the presumed difficulty of finding isogenies between supersingular elliptic curves. However, SIDH and related cryptosystems also reveal additional information: the restriction of a secret isogeny to a subgroup of the curve (torsion point information). Petit (2017) was the first to demonstrate that torsion point information could noticeably low…
▽ More
SIDH is a post-quantum key exchange algorithm based on the presumed difficulty of finding isogenies between supersingular elliptic curves. However, SIDH and related cryptosystems also reveal additional information: the restriction of a secret isogeny to a subgroup of the curve (torsion point information). Petit (2017) was the first to demonstrate that torsion point information could noticeably lower the difficulty of finding secret isogenies. In particular, Petit showed that "overstretched" parameterizations of SIDH could be broken in polynomial time. However, this did not impact the security of any cryptosystems proposed in the literature. The contribution of this paper is twofold: First, we strengthen the techniques of Petit by exploiting additional information coming from a dual and a Frobenius isogeny. This extends the impact of torsion point attacks considerably. In particular, our techniques yield a classical attack that completely breaks the n-party group key exchange of Azarderakhsh et al. for 6 parties or more, and a quantum attack for 3 parties or more that improves on the best known asymptotic complexity. We also provide a Magma implementation of our attack for 6 parties. We give the full range of parameters for which our attacks apply. Second, we construct SIDH variants designed to be weak against our attacks; this includes backdoor choices of starting curve, as well as backdoor choices of base-field prime. We stress that our results do not degrade the security of, or reveal any weakness in, the NIST submission SIKE.
△ Less
Submitted 20 October, 2021; v1 submitted 29 May, 2020;
originally announced May 2020.
-
New results on quasi-subfield polynomials
Authors:
M. Euler,
C. Petit
Abstract:
Quasi-subfield polynomials were introduced by Huang et al. together with a new algorithm to solve the Elliptic Curve Discrete Logarithm Problem (ECDLP) over finite fields of small characteristic. In this paper we provide both new quasi-subfield polynomial families and a new theorem limiting their existence. Our results do not allow to derive any speedup for the new ECDLP algorithm compared to prev…
▽ More
Quasi-subfield polynomials were introduced by Huang et al. together with a new algorithm to solve the Elliptic Curve Discrete Logarithm Problem (ECDLP) over finite fields of small characteristic. In this paper we provide both new quasi-subfield polynomial families and a new theorem limiting their existence. Our results do not allow to derive any speedup for the new ECDLP algorithm compared to previous approaches.
△ Less
Submitted 25 June, 2021; v1 submitted 25 September, 2019;
originally announced September 2019.
-
Chromatic numbers for the hyperbolic plane and discrete analogs
Authors:
Hugo Parlier,
Camille Petit
Abstract:
We study colorings of the hyperbolic plane, analogously to the Hadwiger-Nelson problem for the Euclidean plane. The idea is to color points using the minimum number of colors such that no two points at distance exactly $d$ are of the same color. The problem depends on $d$ and, following a strategy of Kloeckner, we show linear upper bounds on the necessary number of colors. In parallel, we study th…
▽ More
We study colorings of the hyperbolic plane, analogously to the Hadwiger-Nelson problem for the Euclidean plane. The idea is to color points using the minimum number of colors such that no two points at distance exactly $d$ are of the same color. The problem depends on $d$ and, following a strategy of Kloeckner, we show linear upper bounds on the necessary number of colors. In parallel, we study the same problem on $q$-regular trees and show analogous results. For both settings, we also consider a variant which consists in replacing $d$ with an interval of distances.
△ Less
Submitted 30 January, 2017;
originally announced January 2017.
-
Chromatic numbers of hyperbolic surfaces
Authors:
Hugo Parlier,
Camille Petit
Abstract:
This article is about chromatic numbers of hyperbolic surfaces. For a metric space, the $d$-chromatic number is the minimum number of colors needed to color the points of the space so that any two points at distance $d$ are of a different color. We prove upper bounds on the $d$-chromatic number of any hyperbolic surface which only depend on $d$. In another direction, we investigate chromatic numbe…
▽ More
This article is about chromatic numbers of hyperbolic surfaces. For a metric space, the $d$-chromatic number is the minimum number of colors needed to color the points of the space so that any two points at distance $d$ are of a different color. We prove upper bounds on the $d$-chromatic number of any hyperbolic surface which only depend on $d$. In another direction, we investigate chromatic numbers of closed genus $g$ surfaces and find upper bounds that only depend on $g$ (and not on $d$). For both problems, we construct families of examples that show that our bounds are meaningful.
△ Less
Submitted 13 November, 2014;
originally announced November 2014.
-
On the quaternion $\ell$-isogeny path problem
Authors:
David Kohel,
Kristin Lauter,
Christophe Petit,
Jean-Pierre Tignol
Abstract:
Let $\cO$ be a maximal order in a definite quaternion algebra over $\mathbb{Q}$ of prime discriminant $p$, and $\ell$ a small prime. We describe a probabilistic algorithm, which for a given left $O$-ideal, computes a representative in its left ideal class of $\ell$-power norm. In practice the algorithm is efficient, and subject to heuristics on expected distributions of primes, runs in expected po…
▽ More
Let $\cO$ be a maximal order in a definite quaternion algebra over $\mathbb{Q}$ of prime discriminant $p$, and $\ell$ a small prime. We describe a probabilistic algorithm, which for a given left $O$-ideal, computes a representative in its left ideal class of $\ell$-power norm. In practice the algorithm is efficient, and subject to heuristics on expected distributions of primes, runs in expected polynomial time. This breaks the underlying problem for a quaternion analog of the Charles-Goren-Lauter hash function, and has security implications for the original CGL construction in terms of supersingular elliptic curves.
△ Less
Submitted 4 June, 2014;
originally announced June 2014.
-
Wolfe's theorem for weakly differentiable cochains
Authors:
Camille Petit,
Kai Rajala,
Stefan Wenger
Abstract:
A fundamental theorem of Wolfe isometrically identifies the space of flat differential forms of dimension $m$ in $\mathbb{R}^n$ with the space of flat $m$-cochains, that is, the dual space of flat chains of dimension $m$ in $\mathbb{R}^n$. The main purpose of the present paper is to generalize Wolfe's theorem to the setting of Sobolev differential forms and Sobolev cochains in $\mathbb{R}^n$. A su…
▽ More
A fundamental theorem of Wolfe isometrically identifies the space of flat differential forms of dimension $m$ in $\mathbb{R}^n$ with the space of flat $m$-cochains, that is, the dual space of flat chains of dimension $m$ in $\mathbb{R}^n$. The main purpose of the present paper is to generalize Wolfe's theorem to the setting of Sobolev differential forms and Sobolev cochains in $\mathbb{R}^n$. A suitable theory of Sobolev cochains has recently been initiated by the second and third author. It is based on the concept of upper norm and upper gradient of a cochain, introduced in analogy with Heinonen-Koskela's concept of upper gradient of a function.
△ Less
Submitted 30 January, 2014;
originally announced January 2014.
-
Boundary behaviour of harmonic functions on hyperbolic manifolds
Authors:
Camille Petit
Abstract:
Let $M$ be a complete simply connected manifold which is in addition Gromov hyperbolic, coercive and roughly starlike. For a given harmonic function on $M$, a local Fatou Theorem and a pointwise criteria of non-tangential convergence coming from the density of energy are shown: at almost all points of the boundary, the harmonic function converges non-tangentially if and only if the supremum of the…
▽ More
Let $M$ be a complete simply connected manifold which is in addition Gromov hyperbolic, coercive and roughly starlike. For a given harmonic function on $M$, a local Fatou Theorem and a pointwise criteria of non-tangential convergence coming from the density of energy are shown: at almost all points of the boundary, the harmonic function converges non-tangentially if and only if the supremum of the density of energy is finite. As an application of these results, a Calderón-Stein Theorem is proved, that is, the non-tangential properties of convergence, boundedness and finiteness of energy are equivalent at almost every point of the boundary.
△ Less
Submitted 24 February, 2013;
originally announced February 2013.
-
Harmonic functions on hyperbolic graphs
Authors:
Camille Petit
Abstract:
We consider admissible random walks on hyperbolic graphs. For a given harmonic function on such a graph, we prove that asymptotic properties of non-tangential boundedness and non-tangential convergence are almost everywhere equivalent. The proof is inspired by the works of F. Mouton in the cases of Riemannian manifolds of pinched negative curvature and infinite trees. It involves geometric and pro…
▽ More
We consider admissible random walks on hyperbolic graphs. For a given harmonic function on such a graph, we prove that asymptotic properties of non-tangential boundedness and non-tangential convergence are almost everywhere equivalent. The proof is inspired by the works of F. Mouton in the cases of Riemannian manifolds of pinched negative curvature and infinite trees. It involves geometric and probabilitistic methods.
△ Less
Submitted 11 March, 2013; v1 submitted 26 May, 2009;
originally announced May 2009.
