Paper 2019/927

Isogeny-based hashing despite known endomorphisms

Lorenz Panny

Abstract

The Charles-Goren-Lauter hash function on isogeny graphs of supersingular elliptic curves was shown to be insecure under collision attacks when the endomorphism ring of the starting curve is known. Since there is no known way to generate a supersingular elliptic curve with verifiably unknown endomorphisms, the hash function can currently only be used after a trusted-setup phase. This note presents a simple modification to the construction of the hash function which, under a few heuristics, prevents said collision attack and permits the use of arbitrary starting curves, albeit with a performance impact of a factor of two.

Metadata
Available format(s)
PDF
Publication info
Preprint. Minor revision.
Keywords
isogeny-based cryptographyexpander graphshash functions
Contact author(s)
l s panny @ tue nl
History
2019-08-18: received
Short URL
https://ia.cr/2019/927
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2019/927,
      author = {Lorenz Panny},
      title = {Isogeny-based hashing despite known endomorphisms},
      howpublished = {Cryptology ePrint Archive, Paper 2019/927},
      year = {2019},
      note = {\url{https://eprint.iacr.org/2019/927}},
      url = {https://eprint.iacr.org/2019/927}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.