Cryptology ePrint Archive: Report 2019/927
Isogeny-based hashing despite known endomorphisms
Lorenz Panny
Abstract: The Charles-Goren-Lauter hash function on isogeny graphs of supersingular elliptic curves was shown to be insecure under collision attacks when the endomorphism ring of the starting curve is known. Since there is no known way to generate a supersingular elliptic curve with verifiably unknown endomorphisms, the hash function can currently only be used after a trusted-setup phase. This note presents a simple modification to the construction of the hash function which, under a few heuristics, prevents said collision attack and permits the use of arbitrary starting curves, albeit with a performance impact of a factor of two.
Category / Keywords: isogeny-based cryptography, expander graphs, hash functions
Date: received 14 Aug 2019, last revised 14 Aug 2019
Contact author: l s panny at tue nl
Available format(s): PDF | BibTeX Citation
Version: 20190818:154535 (All versions of this report)
Short URL: ia.cr/2019/927
[ Cryptology ePrint archive ]