Supersingular isogeny graph

From HandWiki
Short description: Class of expander graphs arising in computational number theory

In mathematics, the supersingular isogeny graphs are a class of expander graphs that arise in computational number theory and have been applied in elliptic-curve cryptography. Their vertices represent supersingular elliptic curves over finite fields and their edges represent isogenies between curves.

Definition and properties

A supersingular isogeny graph is determined by choosing a large prime number [math]\displaystyle{ p }[/math] and a small prime number [math]\displaystyle{ \ell }[/math], and considering the class of all supersingular elliptic curves defined over the finite field [math]\displaystyle{ \mathbb{F}_{p^2} }[/math]. There are approximately [math]\displaystyle{ (p+1)/12 }[/math] such curves, each two of which can be related by isogenies. The vertices in the supersingular isogeny graph represent these curves (or more concretely, their j-invariants, elements of [math]\displaystyle{ \mathbb{F}_{p^2} }[/math]) and the edges represent isogenies of degree [math]\displaystyle{ \ell }[/math] between two curves.[1][2][3]

The supersingular isogeny graphs are [math]\displaystyle{ \ell+1 }[/math]-regular graphs, meaning that each vertex has exactly [math]\displaystyle{ \ell+1 }[/math] neighbors. They were proven by Pizer to be Ramanujan graphs, graphs with optimal expansion properties for their degree.[1][2][4][5] The proof is based on Pierre Deligne's proof of the Ramanujan–Petersson conjecture.[4]

Cryptographic applications

One proposal for a cryptographic hash function involves starting from a fixed vertex of a supersingular isogeny graph, using the bits of the binary representation of an input value to determine a sequence of edges to follow in a walk in the graph, and using the identity of the vertex reached at the end of the walk as the hash value for the input. The security of the proposed hashing scheme rests on the assumption that it is difficult to find paths in this graph that connect arbitrary pairs of vertices.[1]

It has also been proposed to use walks in two supersingular isogeny graphs with the same vertex set but different edge sets (defined using different choices of the [math]\displaystyle{ \ell }[/math] parameter) to develop a key exchange primitive analogous to Diffie–Hellman key exchange, called supersingular isogeny key exchange,[2] suggested as a form of post-quantum cryptography.[6] However, a leading variant of supersingular isogeny key exchange was broken in 2022 using non-quantum methods.[7]

References

  1. 1.0 1.1 1.2 Charles, Denis X. (2009), "Cryptographic hash functions from expander graphs", Journal of Cryptology 22 (1): 93–113, doi:10.1007/s00145-007-9002-x, https://eprint.iacr.org/2006/021.pdf 
  2. 2.0 2.1 2.2 De Feo, Luca; Jao, David; Plût, Jérôme (2014), "Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies", Journal of Mathematical Cryptology 8 (3): 209–247, doi:10.1515/jmc-2012-0015, https://eprint.iacr.org/2011/506.pdf 
  3. Mestre, J.-F. (1986), "La méthode des graphes. Exemples et applications", Proceedings of the international conference on class numbers and fundamental units of algebraic number fields (Katata, 1986), Nagoya University, pp. 217–242 
  4. 4.0 4.1 Pizer, Arnold K. (1990), "Ramanujan graphs and Hecke operators", Bulletin of the American Mathematical Society, New Series 23 (1): 127–137, doi:10.1090/S0273-0979-1990-15918-X 
  5. Pizer, Arnold K. (1998), "Ramanujan graphs", Computational perspectives on number theory (Chicago, IL, 1995), AMS/IP Stud. Adv. Math., 7, American Mathematical Society, pp. 159–178 
  6. Nielsen, Jesper Buus, ed. (2018), "Supersingular isogeny graphs and endomorphism rings: Reductions and solutions", Advances in Cryptology – EUROCRYPT 2018: 37th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tel Aviv, Israel, April 29 - May 3, 2018, Proceedings, Part III, Lecture Notes in Computer Science, 10822, Cham: Springer, pp. 329–368, doi:10.1007/978-3-319-78372-7_11, https://eprint.iacr.org/2018/371.pdf 
  7. Goodin, Dan (August 2, 2022), "Post-quantum encryption contender is taken out by single-core PC and 1 hour: Leave it to mathematicians to muck up what looked like an impressive new algorithm", Ars Technica, https://arstechnica.com/information-technology/2022/08/sike-once-a-post-quantum-encryption-contender-is-koed-in-nist-smackdown/