Paper 2024/1776

An efficient collision attack on Castryck-Decru-Smith’s hash function

Abstract

In 2020, Castryck-Decru-Smith constructed a hash function using the (2,2)-isogeny graph of superspecial principally polarized abelian surfaces. In their construction, the initial surface was chosen from vertices quite "close" to the square of a supersingular elliptic curve with a known endomorphism ring. In this paper, we propose an algorithm for recovering a collision on their hash function. Under some heuristic assumptions, the time complexity and space complexity of our algorithm are estimated to be $$ which is smaller than the complexity $$ the authors had claimed necessary to recover such a collision, where $$ is the characteristic of the base field. In particular case where $$ has a special form, then both the time and space complexities of our algorithm are polynomial in $$. We implemented our algorithm in MAGMA, and succeeded in recovering a collision in 17 hours (using 64 parallel computations) under a parameter setting the authors had claimed to be 384-bit secure. Finally, we propose a simple countermeasure against our attack, which is expected to restore the complexity required to recover a collision to $$ currently.