Cryptology ePrint Archive: Report 2019/927

Isogeny-based hashing despite known endomorphisms

Lorenz Panny

Abstract: The Charles-Goren-Lauter hash function on isogeny graphs of supersingular elliptic curves was shown to be insecure under collision attacks when the endomorphism ring of the starting curve is known. Since there is no known way to generate a supersingular elliptic curve with verifiably unknown endomorphisms, the hash function can currently only be used after a trusted-setup phase. This note presents a simple modification to the construction of the hash function which, under a few heuristics, prevents said collision attack and permits the use of arbitrary starting curves, albeit with a performance impact of a factor of two.

Category / Keywords: isogeny-based cryptography, expander graphs, hash functions

Date: received 14 Aug 2019, last revised 14 Aug 2019

Contact author: l s panny at tue nl

Available format(s): PDF | BibTeX Citation

Version: 20190818:154535 (All versions of this report)

Short URL: ia.cr/2019/927