Supersingular isogeny graph

Last updated November 01, 2022

In mathematics, the supersingular isogeny graphs are a class of expander graphs that arise in computational number theory and have been applied in elliptic-curve cryptography. Their vertices represent supersingular elliptic curves over finite fields and their edges represent isogenies between curves.

Definition and properties

A supersingular isogeny graph is determined by choosing a large prime number $p$ and a small prime number $\ell$ , and considering the class of all supersingular elliptic curves defined over the finite field $\mathbb {F} _{p^{2}}$ . There are approximately $(p+1)/12$ such curves, each two of which can be related by isogenies. The vertices in the supersingular isogeny graph represent these curves (or more concretely, their $j$ -invariants, elements of $\mathbb {F} _{p^{2}}$ ) and the edges represent isogenies of degree $\ell$ between two curves.^[1]^[2]^[3]

The supersingular isogeny graphs are $\ell +1$ -regular graphs, meaning that each vertex has exactly $\ell +1$ neighbors. They were proven by Pizer to be Ramanujan graphs, graphs with optimal expansion properties for their degree.^[1]^[2]^[4]^[5] The proof is based on Pierre Deligne's proof of the Ramanujan–Petersson conjecture.^[4]

Cryptographic applications

One proposal for a cryptographic hash function involves starting from a fixed vertex of a supersingular isogeny graph, using the bits of the binary representation of an input value to determine a sequence of edges to follow in a walk in the graph, and using the identity of the vertex reached at the end of the walk as the hash value for the input. The security of the proposed hashing scheme rests on the assumption that it is difficult to find paths in this graph that connect arbitrary pairs of vertices.^[1]

It has also been proposed to use walks in two supersingular isogeny graphs with the same vertex set but different edge sets (defined using different choices of the $\ell$ parameter) to develop a key exchange primitive analogous to Diffie–Hellman key exchange, called supersingular isogeny key exchange,^[2] suggested as a form of post-quantum cryptography.^[6] However, a leading variant of supersingular isogeny key exchange was broken in 2022 using non-quantum methods.^[7]

Related Research Articles

In graph theory, an expander graph is a sparse graph that has strong connectivity properties, quantified using vertex, edge or spectral expansion. Expander constructions have spawned research in pure and applied mathematics, with several applications to complexity theory, design of robust computer networks, and the theory of error-correcting codes.

Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC allows smaller keys compared to non-EC cryptography to provide equivalent security.

In the mathematical field of spectral graph theory, a Ramanujan graph is a regular graph whose spectral gap is almost as large as possible. Such graphs are excellent spectral expanders. As Murty's survey paper notes, Ramanujan graphs "fuse diverse branches of pure mathematics, namely, number theory, representation theory, and algebraic geometry". These graphs are indirectly named after Srinivasa Ramanujan; their name comes from the Ramanujan–Petersson conjecture, which was used in a construction of some of these graphs.

The external Diffie–Hellman (XDH) assumption is a computational hardness assumption used in elliptic curve cryptography. The XDH assumption holds that there exist certain subgroups of elliptic curves which have useful properties for cryptography. Specifically, XDH implies the existence of two distinct groups $with the following properties:$

The discrete logarithm problem (DLP), the computational Diffie–Hellman problem (CDH), and the computational co-Diffie–Hellman problem are all intractable in $and .$
There exists an efficiently computable bilinear map (pairing) $.$
The decisional Diffie–Hellman problem (DDH) is intractable in $.$

In graph theory, an $n$ -dimensional De Bruijn graph of $m$ symbols is a directed graph representing overlaps between sequences of symbols. It has $m n$ vertices, consisting of all possible length- $n$ sequences of the given symbols; the same symbol may appear multiple times in a sequence. For a set of $m$ symbols $S = {s 1, \dots, s m},$ the set of vertices is:

In algebraic geometry, supersingular elliptic curves form a certain class of elliptic curves over a field of characteristic p > 0 with unusually large endomorphism rings. Elliptic curves over such fields which are not supersingular are called ordinary and these two classes of elliptic curves behave fundamentally differently in many aspects. Hasse (1936) discovered supersingular elliptic curves during his work on the Riemann hypothesis for elliptic curves by observing that positive characteristic elliptic curves could have endomorphism rings of unusually large rank 4, and Deuring (1941) developed their basic theory.

In geometry, a vertex, often denoted by letters such as $,,,, is a point where two or more curves, lines, or edges meet. As a consequence of this definition, the point where two lines meet to form an angle and the corners of polygons and polyhedra are vertices.$

<span class="mw-page-title-main">Pseudoforest</span> Graph with one cycle per component

In graph theory, a pseudoforest is an undirected graph in which every connected component has at most one cycle. That is, it is a system of vertices and edges connecting pairs of vertices, such that no two cycles of consecutive edges share any vertex with each other, nor can any two cycles be connected to each other by a path of consecutive edges. A pseudotree is a connected pseudoforest.

Lattice-based cryptography is the generic term for constructions of cryptographic primitives that involve lattices, either in the construction itself or in the security proof. Lattice-based constructions are currently important candidates for post-quantum cryptography. Unlike more widely used and known public-key schemes such as the RSA, Diffie-Hellman or elliptic-curve cryptosystems—which could, theoretically, be defeated using Shor's algorithm on a quantum computer—some lattice-based constructions appear to be resistant to attack by both classical and quantum computers. Furthermore, many lattice-based constructions are considered to be secure under the assumption that certain well-studied computational lattice problems cannot be solved efficiently.

An important aspect in the study of elliptic curves is devising effective ways of counting points on the curve. There have been several approaches to do so, and the algorithms devised have proved to be useful tools in the study of various fields such as number theory, and more recently in cryptography and Digital Signature Authentication. While in number theory they have important consequences in the solving of Diophantine equations, with respect to cryptography, they enable us to make effective use of the difficulty of the discrete logarithm problem (DLP) for the group $, of elliptic curves over a finite field, where q = p k and p is a prime. The DLP, as it has come to be known, is a widely used approach to public key cryptography, and the difficulty in solving this problem determines the level of security of the cryptosystem. This article covers algorithms to count points on elliptic curves over fields of large characteristic, in particular p > 3. For curves over fields of small characteristic more efficient algorithms based on p -adic methods exist.$

<span class="mw-page-title-main">Kristin Lauter</span> American cryptographer

Kristin Estella Lauter is an American mathematician and cryptographer whose research interest is broadly in application of number theory and algebraic geometry in cryptography. She is particularly known for her work in the area of elliptic curve cryptography. She was a researcher at Microsoft Research in Redmond, Washington, from 1999–2021 and the head of the Cryptography Group from 2008–2021; her group developed Microsoft SEAL. In April 2021, Lauter joined Facebook AI Research (FAIR) as the West Coast Head of Research Science. She became the President-Elect of the Association for Women in Mathematics in February 2014 and served as President February 1, 2015 - January 31, 2017.

In cryptography, post-quantum cryptography refers to cryptographic algorithms that are thought to be secure against a cryptanalytic attack by a quantum computer. The problem with currently popular algorithms is that their security relies on one of three hard mathematical problems: the integer factorization problem, the discrete logarithm problem or the elliptic-curve discrete logarithm problem. All of these problems could be easily solved on a sufficiently powerful quantum computer running Shor's algorithm.

Network coding has been shown to optimally use bandwidth in a network, maximizing information flow but the scheme is very inherently vulnerable to pollution attacks by malicious nodes in the network. A node injecting garbage can quickly affect many receivers. The pollution of network packets spreads quickly since the output of honest node is corrupted if at least one of the incoming packets is corrupted.

In public-key cryptography, Edwards-curve Digital Signature Algorithm (EdDSA) is a digital signature scheme using a variant of Schnorr signature based on twisted Edwards curves. It is designed to be faster than existing digital signature schemes without sacrificing security. It was developed by a team including Daniel J. Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang. The reference implementation is public domain software.

Supersingular isogeny Diffie–Hellman key exchange is an insecure proposal for a post-quantum cryptographic algorithm to establish a secret key between two parties over an untrusted communications channel. It is analogous to the Diffie–Hellman key exchange, but is based on walks in a supersingular isogeny graph and was designed to resist cryptanalytic attack by an adversary in possession of a quantum computer. Before it was broken, SIDH boasted one of the smallest key sizes of all post-quantum key exchanges; with compression, SIDH used 2688-bit public keys at a 128-bit quantum security level. SIDH also distinguishes itself from similar systems such as NTRU and Ring-LWE by supporting perfect forward secrecy, a property that prevents compromised long-term keys from compromising the confidentiality of old communication sessions. These properties seemed to make SIDH a natural candidate to replace Diffie–Hellman (DHE) and elliptic curve Diffie–Hellman (ECDHE), which are widely used in Internet communication. However, SIDH is vulnerable to a devastating key-recovery attack published in July 2022 and is therefore insecure.

In cryptography, a public key exchange algorithm is a cryptographic algorithm which allows two parties to create and share a secret key, which they can use to encrypt messages between themselves. The ring learning with errors key exchange (RLWE-KEX) is one of a new class of public key exchange algorithms that are designed to be secure against an adversary that possesses a quantum computer. This is important because some public key algorithms in use today will be easily broken by a quantum computer if such computers are implemented. RLWE-KEX is one of a set of post-quantum cryptographic algorithms which are based on the difficulty of solving certain mathematical problems involving lattices. Unlike older lattice based cryptographic algorithms, the RLWE-KEX is provably reducible to a known hard problem in lattices.

In mathematics, calculus on finite weighted graphs is a discrete calculus for functions whose domain is the vertex set of a graph with a finite number of vertices and weights associated to the edges. This involves formulating discrete operators on graphs which are analogous to differential operators in calculus, such as graph Laplacians as discrete versions of the Laplacian, and using these operators to formulate differential equations, difference equations, or variational models on graphs which can be interpreted as discrete versions of partial differential equations or continuum variational models. Such equations and models are important tools to mathematically model, analyze, and process discrete information in many different research fields, e.g., image processing, machine learning, and network analysis.

In cryptography, Combined Elliptic-Curve and Post-Quantum 2 (CECPQ2) is a quantum secure modification to Transport Layer Security (TLS) 1.3 developed by Google. It is intended to be used experimentally, to help evaluate the performance of post quantum key-exchange algorithms on actual users' devices.

The claw finding problem is a classical problem in complexity theory, with several applications in cryptography. In short, given two functions f, g, viewed as oracles, the problem is to find x and y such as f(x) = g(y). The pair is then called a claw. Some problems, especially in cryptography, are best solved when viewed as a claw finding problem, hence any algorithmic improvement to solving the claw finding problem provides a better attack on cryptographic primitives such as hash functions.

Elementary Number Theory, Group Theory and Ramanujan Graphs is a book in mathematics whose goal is to make the construction of Ramanujan graphs accessible to undergraduate-level mathematics students. In order to do so, it covers several other significant topics in graph theory, number theory, and group theory. It was written by Giuliana Davidoff, Peter Sarnak, and Alain Valette, and published in 2003 by the Cambridge University Press, as volume 55 of the London Mathematical Society Student Texts book series.

References

1 2 3 Charles, Denis X.; Lauter, Kristin E.; Goren, Eyal Z. (2009), "Cryptographic hash functions from expander graphs" (PDF), Journal of Cryptology, 22 (1): 93–113, doi:10.1007/s00145-007-9002-x, MR 2496385, S2CID 6417679
1 2 3 De Feo, Luca; Jao, David; Plût, Jérôme (2014), "Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies" (PDF), Journal of Mathematical Cryptology, 8 (3): 209–247, doi:10.1515/jmc-2012-0015, MR 3259113, S2CID 10873244
↑ Mestre, J.-F. (1986), "La méthode des graphes. Exemples et applications", Proceedings of the international conference on class numbers and fundamental units of algebraic number fields (Katata, 1986), Nagoya University, pp. 217–242, MR 0891898
1 2 Pizer, Arnold K. (1990), "Ramanujan graphs and Hecke operators", Bulletin of the American Mathematical Society, New Series, 23 (1): 127–137, doi: 10.1090/S0273-0979-1990-15918-X , MR 1027904
↑ Pizer, Arnold K. (1998), "Ramanujan graphs", Computational perspectives on number theory (Chicago, IL, 1995), AMS/IP Stud. Adv. Math., vol. 7, American Mathematical Society, pp. 159–178, MR 1486836
↑ Eisenträger, Kirsten; Hallgren, Sean; Lauter, Kristin; Morrison, Travis; Petit, Christophe (2018), "Supersingular isogeny graphs and endomorphism rings: Reductions and solutions" (PDF), in Nielsen, Jesper Buus; Rijmen, Vincent (eds.), Advances in Cryptology – EUROCRYPT 2018: 37th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tel Aviv, Israel, April 29 - May 3, 2018, Proceedings, Part III (PDF), Lecture Notes in Computer Science, vol. 10822, Cham: Springer, pp. 329–368, doi:10.1007/978-3-319-78372-7_11, MR 3794837
↑ Goodin, Dan (August 2, 2022), "Post-quantum encryption contender is taken out by single-core PC and 1 hour: Leave it to mathematicians to muck up what looked like an impressive new algorithm", Ars Technica

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[clg-1] 1 2 3 Charles, Denis X.; Lauter, Kristin E.; Goren, Eyal Z. (2009), "Cryptographic hash functions from expander graphs" (PDF), Journal of Cryptology, 22 (1): 93–113, doi:10.1007/s00145-007-9002-x, MR 2496385, S2CID 6417679

[fjp-2] 1 2 3 De Feo, Luca; Jao, David; Plût, Jérôme (2014), "Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies" (PDF), Journal of Mathematical Cryptology, 8 (3): 209–247, doi:10.1515/jmc-2012-0015, MR 3259113, S2CID 10873244

[m-3] Mestre, J.-F. (1986), "La méthode des graphes. Exemples et applications", Proceedings of the international conference on class numbers and fundamental units of algebraic number fields (Katata, 1986), Nagoya University, pp. 217–242, MR 0891898

[p1-4] 1 2 Pizer, Arnold K. (1990), "Ramanujan graphs and Hecke operators", Bulletin of the American Mathematical Society, New Series, 23 (1): 127–137, doi: 10.1090/S0273-0979-1990-15918-X , MR 1027904

[p2-5] Pizer, Arnold K. (1998), "Ramanujan graphs", Computational perspectives on number theory (Chicago, IL, 1995), AMS/IP Stud. Adv. Math., vol. 7, American Mathematical Society, pp. 159–178, MR 1486836

[ehlmp-6] Eisenträger, Kirsten; Hallgren, Sean; Lauter, Kristin; Morrison, Travis; Petit, Christophe (2018), "Supersingular isogeny graphs and endomorphism rings: Reductions and solutions" (PDF), in Nielsen, Jesper Buus; Rijmen, Vincent (eds.), Advances in Cryptology – EUROCRYPT 2018: 37th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tel Aviv, Israel, April 29 - May 3, 2018, Proceedings, Part III (PDF), Lecture Notes in Computer Science, vol. 10822, Cham: Springer, pp. 329–368, doi:10.1007/978-3-319-78372-7_11, MR 3794837

[goodin-7] Goodin, Dan (August 2, 2022), "Post-quantum encryption contender is taken out by single-core PC and 1 hour: Leave it to mathematicians to muck up what looked like an impressive new algorithm", Ars Technica

[1]

[2]

[3]

[4]

[5]

[6]

[7]

Supersingular isogeny graph

Contents

Definition and properties

Cryptographic applications

Related Research Articles

References