Genus Two Isogeny Cryptography

Abstract

We study \((\ell ,\ell )\)-isogeny graphs of principally polarised supersingular abelian surfaces (PPSSAS). The \((\ell ,\ell )\)-isogeny graph has cycles of small length that can be used to break the collision resistance assumption of the genus two isogeny hash function suggested by Takashima. Algorithms for computing (2, 2)-isogenies on the level of Jacobians and (3, 3)-isogenies on the level of Kummers are used to develop a genus two version of the supersingular isogeny Diffie–Hellman protocol of Jao and de Feo. The genus two isogeny Diffie–Hellman protocol achieves the same level of security as SIDH but uses a prime with a third of the bit length.

Appendices

A Examples of Isogeny Graphs

We will consider kernels with order 256 in this example. The key to each example is to the find the number of \(C_2\times C_2\) subgroups of each kernel since this would correspond with the number of possible (2, 2)-isogenies. Firstly, we note that the structure of maximal isotropic subgroups of order 256 must be \(C_{16}\times C_{16}\), or \(C_{16}\times C_4\times C_4\), or \(C_{16}\times C_8\times C_2\) by Proposition 2. The isogeny graphs are given in Fig. 1.

The easy case is when the kernel \(K_0\) has the structure \(C_{16}\times C_{16}\). This is because there is only one \(C_2\times C_2\) subgroup in K. Hence, there is only one isogeny path available and we have a straight line.

Now, let us consider the case when \(K_1\) has the structure \(C_{16}\times C_4\times C_4\). We will label the isomorphism classes of the surfaces by (n), where n is a natural number. We will denote the first surface by (1).

We can represent the 3 generators of \(K_1\) by P, Q and R, where their orders are 16, 4 and 4 respectively. There are 3 different \(C_2\times C_2\) subgroups of K given by \(\langle [8]P,[2]Q\rangle \), \(\langle [8]P,[2]R\rangle \) and \(\langle [8]P,[2](Q+R)\rangle \) in accordance to Lemma 2. Hence, we can and will denote the (2, 2)-subgroups of K by the scalar preceding Q and R. For instance, the three subgroups given here are denoted by (2, 0), (0, 2) and (2, 2).

These 3 subgroups lead to non-isomorphic surfaces labelled as (2), (3) and (4). The edges are labelled by the subgroup corresponding to the isogeny.

Consider the vertex (2), and consider the (2, 2)-isogeny from (2) with kernel \(\langle [4]P,[2]R\rangle \)⁴ and denote the codomain by (8). One can see that the isogeny from (1) to (8) has kernel \(\langle [4]P,[2]Q,[2]R\rangle \).

One can also map from (3) and (4) to (8) via the kernels (2,0) and (2,0). Immediately, one can spot the diamonds mentioned prior to this example. Indeed, the diamonds can be seen repeatedly in the graph.

Vertices can form tips of the diamond when there is a \(C_4\times C_2\times C_2\) subgroup in the kernel. This is best illustrated in the next example where the kernel \(K_2\) has structure \(C_{16}\times C_8\times C_2\). Using the notation from the previous example, \(K_2\) will be given by \(\langle P', Q', R'\rangle \), where \(P'=P\), \([2]Q'=Q\) and \(R'=[2]R\).

Starting from the vertex (1) again, we have the same 3 subgroups, which result in the same surfaces (2), (3) and (4). We also have that the three surfaces will all have maps into (8) as before. However, residual kernel at (2) is now isomorphic to \(C_8\times C_8\), hence we see that the isogeny path from (2) down to (18) is a straight line. The residual kernel at (4) on the other hand, is \(C_8\times C_4\times C_2\), hence it contains \(C_4\times C_2\times C_2\) as a subgroup and so, (4) forms the tip of another diamond.

Another thing to note about this case is that the moment R is in the kernel, we cannot have \(C_4\times C_2\times C_2\) as a subgroup of the residual kernel. This can be observed from the diagonal right-to-left lines in Fig. 1b.

Lastly, Fig. 2 shows all the neighbours which are two (2, 2)-isogenies away. So the top vertex is connected to each of the middle and bottom vertices by an isogeny of degree 4 and 16 respectively. The diamonds corresponding to kernels with the structure \(C_4\times C_2\times C_2\), (though contorted) are present and its number is as predicted in Proposition 3.

Fig. 1.

Isogeny subgraphs when the kernel has order 256.

Fig. 2.

Isogeny graph from an arbitrary vertex showing 2 layers of isogenies.

B Implementation

We have implemented the key exchange scheme in MAGMA using p of 100-bits. This yields a classical security of 75-bits and a quantum security of 50-bits. The first round of the key exchange which required the mapping of points took 145.7 s for Alice and 145.41 s for Bob. The second round of the key exchange took 74.8 s for Alice and 72.29 s for Bob.

The implementation took parameters \(e_A=51\) and \(e_B=32\), and \(f=1\) with

$$\begin{aligned} p = 4172630516011578626876079341567. \end{aligned}$$

The base hyperelliptic curve is defined by

$$\begin{aligned} H: y^2&= (380194068372159317574541564775i + 1017916559181277226571754002873)x^6\\&+ (3642151710276608808804111504956i + 1449092825028873295033553368501)x^5\\&+ (490668231383624479442418028296i + 397897572063105264581753147433)x^4\\&+ (577409514474712448616343527931i + 1029071839968410755001691761655)x^3\\&+ (4021089525876840081239624986822i + 3862824071831242831691614151192)x^2\\&+ (2930679994619687403787686425153i + 1855492455663897070774056208936)x\\&+ 2982740028354478560624947212657i + 2106211304320458155169465303811 \end{aligned}$$

where \(i^2=-1\) in \(\mathbb {F}_{p^2}\).

The generators of the torsion subgroups are given by

$$\begin{aligned} P_1&= \left( \begin{array}{r} x^2 + (2643268744935796625293669726227i + 1373559437243573104036867095531)x\\ + 2040766263472741296629084172357i + 4148336987880572074205999666055,\\ + (2643644763015937217035303914167i + 3102052689781182995044090081179)x\\ + 1813936678851222746202596525186i + 3292045648641130919333133017218 \end{array}\right) ,\\ P_2&= \left( \begin{array}{r} x^2 + (1506120079909263217492664325998i + 1228415755183185090469788608852)x\\ + 510940816723538210024413022814i + 325927805213930943126621646192,\\ + (1580781382037244392536803165134i + 3887834922720954573750149446163)x\\ + 167573350393555136960752415082i + 1225135781040742113572860497457 \end{array}\right) ,\\ P_3&= \left( \begin{array}{r} x^2 + (3505781767879186878832918134439i + 1904272753181081852523334980136)x\\ + 646979589883461323280906338962i + 403466470460947461098796570690,\\ + (311311346636220579350524387279i + 1018806370582980709002197493273)x\\ + 1408004869895332587263994799989i + 1849826149725693312283086888829 \end{array}\right) , \end{aligned}$$

$$\begin{aligned} P_4&= \left( \begin{array}{r} x^2 + (2634314786447819510080659494014i + 72540633574927805301023935272)x\\ + 1531966532163723578428827143067i + 1430299038689444680071540958109,\\ + (3957136023963064340486029724124i + 304348230408614456709697813720)x\\ + 888364867276729326209394828038i + 2453132774156594607548927379151 \end{array}\right) ,\\ Q_1&= \left( \begin{array}{r} x^2 + (2630852063481114424941031847450i + 66199700402594224448399474867)x\\ + 497300488675151931970215687005i + 759563233616865509503094963984,\\ + (1711990417626011964235368995795i + 3370542528225682591775373090846)x\\ + 2409246960430353503520175176754i + 1486115372404013153540282992605 \end{array}\right) ,\\ Q_2&= \left( \begin{array}{r} x^2 + (950432829617443696475772551884i + 3809766229231883691707469450961)x\\ + 1293886731023444677607106763783i + 2152044083269016653158588262237,\\ + (3613765124982997852345558006302i + 4166067285631998217873560846741)x\\ + 2494877549970866914093980400340i + 3422166823321314392366398023265 \end{array}\right) ,\\ Q_3&= \left( \begin{array}{r} x^2 + (1867909473743807424879633729641i + 3561017973465655201531445986517)x\\ + 614550355856817299796257158420i + 3713818865406510298963726073088,\\ + (846565504796531694760652292661i + 2430149476747360285585725491789)x\\ + 3827102507618362281753526735086i + 878843682607965961832497258982 \end{array}\right) ,\\ Q_4&= \left( \begin{array}{r} x^2 + (2493766102609911097717660796748i + 2474559150997146544698868735081)x\\ + 843886014491849541025676396448i + 2700674753803982658674811115656,\\ + (2457109003116302300180304001113i + 3000754825048207655171641361142)x\\ + 2560520198225087401183248832955i + 2490028703281853247425401658313 \end{array}\right) . \end{aligned}$$

The secret scalars of Alice and Bob are

$$\begin{aligned} \alpha _1&= 937242395764589,&\!\!\alpha _2&= 282151393547351,&\alpha _3&= 0,&\alpha _4&= 0,\\ \alpha _5&= 0 ,&\alpha _6&=0,&\alpha _7&= 1666968036125619,&\alpha _8&\!\!= 324369560360356, \\ \alpha _9&= 0,&\alpha _{10}&=0,&\alpha _{11}&= 0,&\alpha _{12}&= 0, \\ \beta _1&= 103258914945647,&\beta _2&= 1444900449480064,&\beta _3&= 0,&\beta _4&= 0,\\ \beta _5&= 0,&\beta _6&=0,&\beta _7&= 28000236972265,&\beta _8&\!\!= 720020678656772,\\ \beta _9&= 0,&\beta _{10}&=0,&\beta _{11}&= 0,&\beta _{12}&= 0, \\ \end{aligned}$$

Using their secret scalars, they will obtain the following pair of hyperelliptic curves

$$\begin{aligned} H_A: y^2&= (3404703004587495821596176965058i + 403336181260435480105799382459)x^6\\&+ (3001584086424762938062276222340i + 3110471904806922603655329247510)x^5\\&+ (1017199310627230983511586463332i + 1599189698631433372650857544071)x^4\\&+ (2469562012339092945398365678689i + 1154566472615236827416467624584)x^3\\&+ (841874238658053023013857416200i + 422410815643904319729131959469)x^2\\&+ (3507584227180426976109772052962i + 2331298266595569462657798736063)x\\&+ 2729816620520905175590758187019i + 3748704006645129000498563514734, \end{aligned}$$

$$\begin{aligned} H_B: y^2&= (3434394689074752663579510896530i + 3258819610341997123576600332954)x^6\\&+ (3350255113820895191389143565973i + 2681892489448659428930467220147)x^5\\&+ (2958298818675004062047066758264i + 904769362079321055425076728309)x^4\\&+ (2701255487608026975177181091075i + 787033120015012146142186182556)x^3\\&+ (3523675811671092022491764466022i + 2804841353558342542840805561369)x^2\\&+ (3238151513550798796238052565124i + 3437885792433773163395130700555)x\\&+ 1829327374163410097298853068766i + 3453489516944406316396271485172. \end{aligned}$$

The auxiliary points computed are the following

$$\begin{aligned} \phi _B(P_1)&= \pm \left( \begin{array}{r} x^2 + (576967470035224384447071691859i + 3905591233169141993601703381059)x\\ + 1497608451125872175852448359137i + 2622938093324787679229413320405,\\ (2205483026731282488507766835920i + 1887631895533666975170960498604)x\\ + 2270438136719486828147096768168i + 1098893079140511975119740789184 \end{array}\right) ,\\ \phi _B(P_2)&= \pm \left( \begin{array}{r} x^2 + (200280720842476245802835273443i + 3878472110821865480924821702529)x\\ + 476628031810757734488740719290i + 2957584612454518004162519574871,\\ (3949908621907714361071815553277i + 630639323620735966636718321043)x\\ + 901597642385324157925700976889i + 2429302320101537821240219151082 \end{array}\right) ,\\ \phi _B(P_3)&= \pm \left( \begin{array}{r} x^2 + (4133157753622694250606077231439i + 2486410359530824865039464484854)x\\ + 217800646374565182483064906626i + 1249364962732904444334902689884,\\ (1265490246594537172661646499003i + 2130834160349159007051974433128)x\\ + 2580286680987425601000738010969i + 578046610192146114698466530758 \end{array}\right) ,\\ \phi _B(P_4)&= \pm \left( \begin{array}{r} x^2 + (6601102003779684073844190837i + 87106350729631184785549140074)x\\ + 2330339334251130536871893039627i + 1494511552650494479113393669713,\\ (1706314262702892774109446145989i + 3539074449728790590891503255545)x\\ + 1950619453681381932329106130008i + 685170915670741858430774920061 \end{array}\right) ,\\ \phi _A(Q_1)&= \left( \begin{array}{r} x^2 + (3464040394311932964693107348618i + 1234121484161567611101667399525)x\\ + 17895775393232773855271038385i + 3856858968014591645005318326985,\\ (2432835950855765586938146638349i + 3267484715622822051923177214055)x\\ + 985386137551789348760277138076i + 1179835886991851012234054275735 \end{array}\right) ,\\ \phi _A(Q_2)&= \left( \begin{array}{r} x^2 + (363382700960978261088696293501i + 3499548729039922528103431054749)x\\ + 3832512523382547716418075195517i + 3364204966204284852762530333038,\\ (3043817101596607612186808885116i + 4027557567198565187096133171734)x\\ + 4087176631917166066356886198518i + 1327157646340760346840638146328 \end{array}\right) ,\\ \phi _A(Q_3)&= \left( \begin{array}{r} x^2 + (3946684136660787881888285451015i + 1250236853749119184502604023717)x\\ + 3358152613483376587872867674703i + 467252201151076389055524809476,\\ (1562920784368105245499132757775i + 987920823075946850233644600497)x\\ + 1675005758282871337010798605079i + 1490924669195823363601763347629 \end{array}\right) ,\\ \phi _A(Q_4)&= \left( \begin{array}{r} x^2 + (1629408242557750155729330759772i + 3235283387810139201773539373655)x\\ + 1341380669490368343450704316676i + 1454971022788254094961980229605,\\ (2393675986247524032663566872348i + 3412019204974086421616096641702)x\\ + 1890349696856504234320283318545i + 841699061347215234631210012075 \end{array}\right) . \end{aligned}$$

This allows for both parties to compute the final isogeny to obtain

$$ \begin{pmatrix} 1055018150197573853947249198625i + 2223713843055934677989300194259,\\ 819060580729572013508006537232i + 3874192400826551831686249391528,\\ 1658885975351604494486138482883i + 3931354413698538292465352257393 \end{pmatrix} $$

as their common \(G_2\)-invariants.