a genus two variant of cgl hash functions · faculty of science a genus two variant of cgl hash...

FACULTY OF SCIENCE

A Genus Two Variant ofCGL Hash Functions

Thomas DECRU

Supervisor: Prof. B. PreneelCo-supervisor: Prof. F. VercauterenMentor: Dr. W. Castryck

Thesis presented in

fulfillment of the requirements

for the degree of Master of Science

in Mathematics

Academic year 2017-2018

c© Copyright by KU LeuvenWithout written permission of the promotors and the authors it is forbidden

to reproduce or adapt in any form or by any means any part of this publication.Requests for obtaining the right to reproduce or utilize parts of this publicationshould be addressed to KU Leuven, Faculteit Wetenschappen, Geel Huis, Kasteel-park Arenberg 11 bus 2100, 3001 Leuven (Heverlee), Telephone +32 16 32 14 01.

A written permission of the promotor is also required to use the methods, prod-ucts, schematics and programs described in this work for industrial or commercialuse, and for submitting this publication in scientific contests.

I

Preface

This is the thesis A Genus Two Variant of CGL Hash Functions, presented infulfillment of the requirements for the degree of Master of Science in Mathematicsat the KU Leuven. All of the research involving this thesis happened during theacademic year 2017-2018.

In the first place, I would like to thank my mentor, doctor Wouter Castryck,for explaining a lot of new concepts and answering all of my questions regardingthem. The many hours spent at his office trying to find solutions to new problemsthat arose along the way were extremely helpful. I would also like to thank mysupervisor, professor Bart Preneel, for presenting this interesting topic, as well asmy co-supervisor, professor Frederik Vercauteren, for the quick brainstorm sessionson possible paths to explore within this subject.

I would also like to thank my parents and sister, who have always supported methroughout the years, even if some of my life decisions seemed questionable at first.Next, I would like to thank my friends who made this last year, of which most wasspent in Leuven, a lot more enjoyable as they provided me with ample distractionwhen I needed some time off. Trying to list them all would unmistakably result inforgetting certain names, but a special mention definitely goes out to Jolien Ponnetand Laura De Backer. And last but not least I would like to thank my personalcheerleader Ellen Van de Velde and my pet Kwakker. Their positivity undoubtedlyhelped bring this thesis to a good end.

Thomas Decru,Leuven,June 6, 2018

II

Summary

The aim of this master thesis is threefold. First, we perform a literature study re-garding CGL hash functions and SIDH. We start with defining the concepts of CGLhash functions and elliptic curves. Next, we examine maps called isogenies betweenthese curves and discuss some of their properties. A particular subset of ellipticcurves, called supersingular elliptic curves, possesses very particular properties thatmake them a perfect candidate for a CGL hash function. In order to create sucha hash function, we construct a graph that connects supersingular elliptic curvesthrough isogenies. We also discuss SIDH, as it shows a lot of similarities with theCGL hash function because of the aforementioned graph.

Our second goal is to see if the results from the previous section can be adjustedto work for curves of higher genus, in particular genus two hyperelliptic curves. Thisseems to be the case but certain generalizations need to be made, making thingsmore complicated. One particular subset of isogenies, called Richelot isogenies,proves particularly useful due to their easy to compute formulas. Unfortunately,some Richelot isogenies correspond to a degenerate case that make things slightlymore complicated and less symmetric. Despite this hindrance, we still manage tocreate an appropriate graph defined with isogenies between supersingular genus twocurves. We prove that this graph contains certain important properties that madethe graph from the elliptic curve case valuable and, hence, manage to construct anew CGL hash function from it.

Our final goal is to implement this work in the computer algebra software Magma.With help from Magma, we manage to prove that there is a strict upper boundon the amount of degenerate cases for Richelot isogenies. Heuristically though,the chance of this degenerate case occurring tends to zero as we let our graphgrow larger. The theoretical upper bound helps us create a hash function thatprocesses 3 bits at every step of the way, compared to just 1 bit in the ellipticcurve case. We also show heuristically that the graph grows faster, in functionof the characteristic of the field we work over, than in the case of supersingularelliptic curves. Finally, we implement our genus two CGL hash function in Magma.The computing speed per bit is noticeably slower than the elliptic curve CGL hashfunction, but close enough that some optimization work could turn it into a practicalapplication. Additionally, the hash function has an output that is slightly largerand its security is less well understood. We hope that this work will be a usefulstep forward to understanding the advantages and disadvantages of using genus twocurves in isogeny based cryptography.

III

List of Abbreviations and Symbols

ECDSA Elliptic Curve Digital Signature AlgorithmECDH Elliptic Curve Diffie-HellmanSIDH Supersingular Isogeny Diffie-HellmanCGL Charles-Goren-LauterFqr a finite field with qr elementsK the algebraic closure of the field KGal(E/F ) the Galois group of E over FZ(C(Fq);T ) the zeta function of C over Fq in the variable TE(K) the points of the curve E that are defined over the field KOE the point at infinity of the curve E[n]P the multiplication by n map applied to PE[n] the n-torsion of the curve Ej(E) the j-invariant of the elliptic curve E

φ the dual isogeny of the isogeny φG(p, l) the graph for the CGL hash function in the elliptic curve casefH the quintic or sextic polynomial defining the genus two curve HJH the jacobian of the curve HJH [n] the n-torsion of JHH the genus two curve given by the equation y2 = x5 − x(ap

)the Legendre symbol of a over p

φq the q-Frobenius (endo)morphismG′p the graph for the CGL hash function in the genus two case

IV

Contents

Preface II

Summary III

List of Abbreviations and Symbols IV

1 Introduction 1

2 Preliminaries 32.1 Weil Conjectures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32.2 Grobner Basis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52.3 CGL Hash Functions from Expander Graphs . . . . . . . . . . . . . . 6

3 Hash Functions from Supersingular Elliptic Curves 93.1 Group Law on Elliptic Curves . . . . . . . . . . . . . . . . . . . . . . 93.2 Isogenies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113.3 Supersingular Isogeny Graphs . . . . . . . . . . . . . . . . . . . . . . 133.4 Supersingular Isogeny Diffie-Hellman . . . . . . . . . . . . . . . . . . 15

4 Hash Functions from Supersingular Hyperelliptic Curves 184.1 Genus two curves and their jacobian . . . . . . . . . . . . . . . . . . 184.2 Isogenies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214.3 Supersingular Isogeny Graphs . . . . . . . . . . . . . . . . . . . . . . 25

5 Implementations 345.1 Some small examples of G′p . . . . . . . . . . . . . . . . . . . . . . . . 345.2 Amount of Singular Quadratic Splittings . . . . . . . . . . . . . . . . 355.3 Size of G′p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385.4 Heuristic Amount of Singular Quadratic Splittings . . . . . . . . . . . 415.5 Expanding Properties of G′p . . . . . . . . . . . . . . . . . . . . . . . 455.6 Hash Function from G′p . . . . . . . . . . . . . . . . . . . . . . . . . . 49

6 Conclusion 51

Appendices 56

A Implemented Code 57A.1 Some small examples of G′p . . . . . . . . . . . . . . . . . . . . . . . . 57A.2 Amount of Singular Quadratic Splittings . . . . . . . . . . . . . . . . 58A.3 Size of G′p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

V

CONTENTS

A.4 Heuristic Amount of Nonsingular Quadratic Splittings . . . . . . . . . 61A.5 Expanding Properties of G′p . . . . . . . . . . . . . . . . . . . . . . . 62A.6 Hash Function from G′p . . . . . . . . . . . . . . . . . . . . . . . . . . 64

VI

Chapter 1

Introduction

Elliptic curves have been thoroughly studied in the past decades and have numeroususes in various scientific fields. In the area of cryptography, two of the more renownedapplications are the Elliptic Curve Digital Signature Algorithm (ECDSA) and Ellip-tic Curve Diffie-Hellman (ECDH). These are security protocols that are widely usedin for example banking transactions and online communication. In 1994 however,it was pointed out by Shor that a quantum computer would be able to break thesecurrent protocols rather efficiently [Sho99]. While the quantum computer is not yetfully developed, progress in the field is advancing rapidly and companies like IBMand Google are delivering more promising results than ever. The threat of quantumcomputers is of a completely different nature compared to any known classical at-tack, such that enlarging key size for the current protocols will not save them either.Additionally a quantum computer would be able to decrypt all current protocolsretroactively. For that reason, research to more elaborate cryptographic systemsthat can withstand attacks from a quantum computer is in full development. TheNational Institute of Standards and Technology has therefore issued a competitionfor post-quantum public key cryptography algorithms. The goal of this competitionis to standardize one or more of these protocols well ahead of the release of anylarge-scale quantum computer, since preparing all our infrastructure for the adventwill take years or even decades.

One of the algorithms in the competition is based on the Supersingular IsogenyDiffie-Hellman key exchange (SIDH) proposed by De Feo and Jao in 2010 [JDF11].This protocol relies on properties held by elliptic curves just like ECDSA and ECDHdo. The main difference is that SIDH no longer works on a single elliptic curve, butrather makes use of maps called isogenies between different elliptic curves. Thisnew key exchange makes use of isogeny graphs, similar to the cryptographic hashfunction proposed by Charles, Goren and Lauter (CGL) in 2006 [CGL09].

The goal of this thesis is threefold. First of all we want to understand isogeniesbetween elliptic curves and in particular CGL hash functions and SIDH. The theoryabout elliptic curves in general is profound and we will only need specific parts ofit. A lot of well-known results require an extensive additional framework in orderto understand the proofs, so we will not replicate those. For more background wewould like to refer the interested reader to [Sil09], which is the benchmark referencefor an in-depth understanding of elliptic curves.

Secondly, we want to investigate whether the previously obtained knowledgecan be adjusted to hyperelliptic curves. While this has been done for various other

1

elliptic curve applications, to our knowledge this is not yet the case for neither SIDHnor CGL hash functions. Unfortunately, for hyperelliptic curves of genus three orhigher a lot of the properties break down. For that reason we will restrict ourselvesto hyperelliptic curves of genus two.

Finally we want to see if we can implement this generalization. We will tryto recreate the CGL hash function with hyperelliptic curves of genus two in thecomputer algebra software Magma. The implementation is not necessarily meant tobe practical, but rather theoretical, to see if it can be done and what problems mayarise. Therefore the focus of this part will not be on efficiency or security.

The motivation for these last two points is as follows. First there is the generalgoal of assisting in the research towards post-quantum cryptography. Even thoughour focus is not on the security aspect of the algorithms, it is not infeasible to assumethat working with more convoluted mathematical objects could make attacks moredifficult to find as well. Secondly, as we will prove in chapter 5, at every step inour hash function we can evaluate at least 3 bits when working with hyperellipticcurves of genus two, whereas in the case of elliptic curves this was 1 bit. So evenif the computations themselves would be slightly more elaborate, it comes with theconvenience of having to do less of them. Finally, the genus two version of the SIDHprotocol may solve an important issue that occurs in the elliptic curve case: the factthat it is asymmetric by nature. If Alice and Bob want to communicate by usingthe SIDH protocol, one of them has to work with 2-isogenies, whereas the other willhave to use 3-isogenies. While this is not a problem in theory, having a large networkof users trying to communicate between themselves means that they must all usedifferent l-isogenies, which complicates the computations a lot. In the genus twovariant, there’s a possibility that every user would be able to work with the same(2, 2)-isogenies. A possible avenue of investigation for this would be to consider thegenus two curves as unpolarized abelian varieties. We will not elaborate on thisfurther since it goes beyond the scope of this thesis, but it is worth mentioning incase a genus two variant of SIDH would be developed.

In chapter 2 we will state some important concepts and results from algebraicgeometry and graph theory. In chapter 3 we will formulate the relevant definitionsand theorems regarding elliptic curves that are needed to establish the CGL hashfunction. We will also briefly discuss SIDH in this chapter given the similaritiesbetween the key exchange protocol and the CGL hash function. In chapter 4 wewill follow the same outline and try to generalize these statements to hyperellipticcurves of genus two. This will not always be possible, so partial or heuristic resultscan occur. In chapter 5 we discuss some results that were found by help of thecomputer algebra software Magma, as well as implement a genus two variant of theCGL hash function. We will also use the statistical software R at one point, as wellas MATLAB to create images of the results from Magma.

The reader is assumed to be familiar with basic concepts from algebra, algebraicgeometry and Galois theory such as projective varieties, regular maps, finite fields,etc.

2

Chapter 2

Preliminaries

In this chapter we will formulate some terminology and non-trivial results that areneeded throughout the following chapters. In section 2.1 we define the genus of acurve and state the Weil conjectures for curves of a specific genus. In section 2.2we explain the concept of a Grobner basis. Finally in section 2.3 we define someconcepts in graph theory such as expander graphs in order to construct a CGL hashfunction.

2.1 Weil Conjectures

We will use the term curve as a projective variety of dimension one over a field K.In particular we are interested in nonsingular (or smooth) curves and will assumethe field K to be perfect. A field is called perfect if every irreducible polynomialover K has distinct roots. Examples of perfect fields are fields of characteristic zero,finite fields, algebraically closed fields, etc. The reason for this assumption is thatperfect fields have certain properties that make them easier to work with, e.g. thenotions of smoothness and being nonsingular actually coincide. The application wewill discuss makes use of a finite field Fpr and its algebraic closure so the restrictionis justified.

Any rational map φ : C1 → C2 is a morphism if C1 is smooth. We also have thefollowing result that implies the restriction to smooth curves is not strict.

Theorem 2.1. Every curve is birationally equivalent to a nonsingular projectivecurve.

Proof. See [Har13, I, Section 6].

We will now explain the concept of the genus of a curve. The notion of genuscan be introduced in various ways and under certain conditions these definitionscoincide. We will approach it by using Riemann’s inequality, but for a more in-depth discussion using differentials we can refer the interested reader to [Sil09].

Definition 2.1. Let C be a smooth projective curve defined over K. A divisor D isan element of the free abelian group over the points of C with coordinates in K, i.e.

D =∑

P∈CnPP, nP ∈ Z,

where almost all nP are zero. The degree of D, denoted deg(D) is the integer∑P∈C nP .

3

2.1. WEIL CONJECTURES

A divisor D is said to be defined over K if σ(D) = D for all σ ∈ Gal(K/K).The set of degree zero divisors defined over K of a given curve C is a group and willbe denoted Div0

C . A divisor D =∑

P∈C nPP of C is called effective if nP ≥ 0 forall P ∈ C and we will denote this partial order by D ≥ 0. Similarly if D and E aredivisors of C then we will write D ≥ E if D − E is effective.

The valuation of a rational function f at a point P , denoted vP (f), is defined asfollows. If f is zero with multiplicity1 n at P then vP (f) = n. If 1/f is zero withmultiplicity n at P then vP (f) = −n. If it is neither, then we define the valuationof f at P to be zero. This notion gives rise to the following definition.

Definition 2.2. Let C be a smooth curve defined over K and let f be a nonzeroelement of its function field K(C). The divisor of f is called a principal divisor andis defined by

div(f) =∑

P∈C(vP (f))P.

The partial order we imposed earlier on divisors of C can be used to expressconditions on a function from its function field through its principal divisor. Forexample, let f ∈ K(C) be a function that has a pole of order at most n at Q, isregular everywhere else, and has a zero of order at least m at P . Then we cansummarize this information by writing

div(f) ≥ mP − nQ.

It can be shown that the divisor of a rational function is a finite formal sum andalways has degree zero. For a proof and more in-depth discussion about divisors, seefor example [MWZ96]. Before stating Riemann’s inequality we need to introduceone more concept.

Proposition 2.1. Let C be a smooth curve defined over K and D a divisor of C.Then

{f ∈ K(C)× | div(f) ≥ −D} ∪ {0}is a finite dimensional K-vector space of which we will denote the dimension with`(D).

Proof. See [Har13, II, Theorem 5.19].

The Riemann-Roch theorem gives an important connection between deg(D) and`(D). For our purpose it suffices to work with the easier formulation also known asRiemann’s inequality.

Proposition 2.2 (Riemann’s inequality). Let C be a smooth curve defined over K.Then there exists an integer g such that for every divisor D of C we have that

`(D) ≥ deg(D)− g + 1.

The smallest integer g for which this holds is called the genus of C.

Proof. See [Lan12, Section 1.2].

1The notion of multiplicity in this context is more subtle than we make it appear. Explaining itthoroughly would take us too far however, so we will just use the intuitive explanation informally.

4

2.2. GROBNER BASIS

It can be shown that for example any smooth projective curve of genus zero overa field K is isomorphic to a conic in P2(K). Examples of higher genus curves are(hyper)elliptic curves which we will handle more in-depth in the following chapters.In order to state the Weil conjectures we just need the fact that the genus is aninvariant of a curve. We will make use of the zeta function of an algebraic varietyas well. For this we will work over a field Fq where q = pr for some prime p.

Definition 2.3. Let C be a curve defined over Fq. The zeta function of C over Fqis the generating function

Z(C(Fq);T ) = exp

( ∞∑

k=1

Nk

kT k

),

where Nk is the number of Fqk-rational points of C.

The zeta function is a formal power series and captures a lot of important in-formation about a curve C. The following results are known as specific parts ofthe Weil conjectures. This version has been proved by Weil in 1949 while the moregeneral statements have only been proved since 1973 by Deligne.

Theorem 2.2 (Weil conjectures). Let C be a smooth projective curve of genus gdefined over Fq with corresponding zeta function Z(C(Fq);T ).

1. Z(C(Fq);T ) is a rational function. More precisely, it can be written as

Z(C(Fq);T ) =P (T )

(1− T )(1− qT ),

with P (T ) ∈ Z[T ] a polynomial of degree 2g.

2. The roots α1, . . . , α2g of T 2gP ( 1T

) (this is the reciprocal polynomial of the nu-merator) all satisfy |αi| = √q.

3. The aforementioned roots αi are pairwise complex conjugated, i.e. they can besorted such that αiαi+g = q.

2.2 Grobner Basis

A Grobner basis is a specific type of generating set for an ideal of a polynomialring K[x1, . . . , xn]. It is an important tool in computational algebra since certainproperties can be deduced easily from it.

In order to make a precise definition, we first need to fix a total order on all mono-mials in the polynomial ring K[x1, . . . , xn] that additionally satisfies the followingproperties as well:

1. for all monomials f, g ∈ K[x1, . . . , xn] it holds that f ≤ fg,

2. for all monomials f, g, h ∈ K[x1, . . . , xn] it holds that f ≤ g ⇐⇒ fh ≤ gh.

5

2.3. CGL HASH FUNCTIONS FROM EXPANDER GRAPHS

A total order that satisfies these conditions is called a monomial ordering. As anexample, we can look at Q[x, y] and define the order as

1 < x < y < x2 < xy < y2 < x3 < x2y < xy2 < y3 < x4 < . . .

This type of order is called the graded lexicographical ordering. The specific orderthat is used is not of importance to us, it is only required that one such order ischosen and fixed to define a Grobner basis.2 Once this order is fixed, we can writedown any polynomial in decreasing order with regards to the monomials. With ourprevious example in mind, f(x, y) = 7x2y+x3−3y2+5x2−y is written in decreasinggraded lexicographical ordering. We call the first term in this notation the leadingterm and write down LT (f) = 7x2y. With this in mind we can properly define theconcept of a Grobner basis.

Definition 2.4. Let I be an ideal in a polynomial ring K[x1, . . . , xn] with a fixedmonomial ordering. A Grobner basis G = {g1, . . . , gm} is a generating set for Isuch that (LT (g1), . . . , LT (gm)) equals the ideal generated by the leading terms ofpolynomials in I.

We will say that a Grobner basis G is reduced if for any g, h ∈ G such that gdivides h we have that g equals h. Remark that a Grobner basis may contain moreelements than the minimum amount of polynomials that is required to generate theassociated ideal I, so it is not a basis in the typical sense of the word. With theabove example in mind, it can be shown that {y2, xy, x2 − 1

2y} is a Grobner basis

for the ideal I = (y3 − 2xy, xy2 − 2x2 + y) for example.Every generating set for any ideal in a polynomial ring can be transformed into

a Grobner basis. The first such transformation described in the literature is Buch-berger’s algorithm, although more efficient algorithms have popped up since. Thisprocess of transforming a set of polynomials into a Grobner basis is a generalizationof other algorithms such as Gaussian elimination and Euclid’s algorithm for comput-ing the greatest common divisor. We will not delve further into computing Grobnerbases but will just use the fact that such a basis always exists. Additionally wewill blindly rely on Magma’s Grobner basis calculation algorithm to compute thesebases. We finish this section with the following important property.

Proposition 2.3. Let G be a reduced Grobner basis for I ⊆ K[x1, . . . , xn]. Thenthe variety defined by I is empty over K if and only if G = {1}.Proof. This is immediate from Hilbert’s Nullstellensatz.

2.3 CGL Hash Functions from Expander Graphs

Hash functions have been common in use for decades now, with one of the mostwell-known applications being authentication protocols. In its most simple form, acryptographic hash function is a function that maps inputs of any finite size to anoutput of fixed finite size. Additionally however, this function also satisfies someother properties that make it useful for cryptographic purposes. Two of the mostcommon ones are collision resistance and preimage resistance.

2In practice, different monomial orderings can have wildly varying computing performancehowever.

6


Definition 2.5. We say that a hash function h : X → Y is collision resistant if itis computationally infeasible to find x1, x2 ∈ X such that h(x1) = h(x2).

Definition 2.6. We say that a hash function h : X → Y is preimage resistant if,when given y ∈ Y , it is computationally infeasible to find x ∈ X such that h(x) = y.

By computationally infeasible we mean that any probabilistic algorithm succeedswith negligible probability. We first recall some basic definitions from graph theorybefore introducing the concept of a CGL hash function.

An (undirected) graph G is an ordered pair (V,E), consisting of a set of verticesV and a set of (unordered) edges E ⊆ V × V . A path from the vertex v1 to vn is asequence of vertices v1, v2, . . . , vn such that {vi, vi+1} ∈ E for all i ∈ {1, 2, . . . , n−1}.A graph is called connected if there is a path between any two vertices, otherwiseit is called disconnected. The distance between two vertices is the length of theshortest path between them. The diameter of a connected graph is the largest ofthe distances amongst its vertices. A vertex v1 is said to be a neighbor of v2 ifthere is an edge between v1 and v2. If U ⊆ V is a subset of vertices, we define theboundary of U , denoted Γ(U), as the set of all neighbors of U minus all elements ofU . The degree of a vertex v is the number of edges in E containing v. We say that agraph is k-regular if every vertex has degree k. The adjacency matrix of a graph Gwith vertex set V = {v1, v2, . . . , vn} and edge set E is the n× n matrix A such thatAi,j equals 1 if {vi, vj} ∈ E, and Ai,j equals 0 else. Note that since we work withundirected graphs, the adjacency matrix will be symmetric and hence have positiveeigenvalues.

Finally, we define two more complicated concepts.

Definition 2.7. A graph G with #V vertices is an expander graph with expansionconstant c > 0 if for any subset U ⊆ V of size #U ≤ #V/2 the boundary Γ(U) hassize #Γ(U) ≥ c ·#U .

Definition 2.8. A k-regular connected graph G is a Ramanujan graph if the absolutevalue of any eigenvalue of the adjacency matrix of G is either k or not larger than2√k − 1.

This definition of expander graph is sometimes referred to as the edge expansionproperty. Other definitions exist but this one is probably the most intuitive. Thedefinition quantifies how well subsets of vertices are connected to the rest of thegraph. The expansion constant c can be seen as a measure to how close or far G isfrom being disconnected. It follows from the definition that any expander graph isconnected. Indeed, if G is disconnected then at least one connected component hasat most #V/2 vertices. The boundary of the vertices of this connected component isempty, hence it can not be an expander graph. Expander graphs are said to have therapid mixing property. Intuitively this means that random paths (by this we meanchoose any next edge uniformly out of all possible edges) of length the diameterof the graph, starting from any given vertex, terminate on any given vertex withprobability close to uniform.

The definition of a Ramanujan graph is a lot less intuitive. They are an optimalkind of expander graphs. For more information see for example [HLW06].

There is an obvious way to construct a hash function from an expander graph.We will work with a concrete example, the Petersen graph. This is a well known

7


A

E B

D C

F

J G

I H

1

1

1

0

0

0

Figure 2.1: Hashing the input 110 with starting vertex A results in an output of H.

3-regular graph that can be proved to be Ramanujan. The graph is small so we candepict it, but it can easily be seen as a part of a much larger graph. The graph canbe seen in Figure 2.1.

We can always transform our input into a binary message, so let’s assume wewant to hash the message 110. At first we take an arbitrary fixed starting vertex,in our case this is the vertex A. Next we have 3 edges leaving A. We choose one toignore for now (again, the choice can be arbitrary as long as it’s fixed) and label theother two 0 respectively 1. This labeling has to be done the exact same way everytime someone walks through the graph. Depending on the way the graph is storedthis can be done alphabetically for example, although more natural labellings canoccur of course.

Next we evaluate the first digit of our message and walk along the path that islabeled the same as this digit. This makes us end up in the vertex B. Now we have3 edges leaving B but we will ignore the one we just passed and label the others0 respectively 1. The reason for ignoring the one we just passed is that we do notwant the path to backtrack. Being able to backtrack in our graph would result infinding easy collisions in our hash function, which is something we want to avoid.So the original ignoring of a third edge at A was a one-time arbitrary choice thathappens only at the start of the hash function. Now we read the second digit of ourmessage and walk along the path labeled with the same digit and end up in C. Werepeat this process once more and end up in H. We will say that H is our output(or hash value). This type of hash function based on expander graphs was proposedby Charles, Goren and Lauter in [CGL09].

8

Chapter 3

Hash Functions fromSupersingular Elliptic Curves

We define (supersingular) elliptic curves and a group operation on them in sec-tion 3.1. In section 3.2 we define maps between elliptic curves. Finally, in section 3.3,we talk about graphs constructed by these concepts and some of their properties inorder to turn them into a CGL hash function. We will finish this chapter in sec-tion 3.4 by explaining the SIDH key exchange protocol since it resembles the CGLhash function in certain ways.

Throughout this chapter, we will assume that the field we are working over hascharacteristic different from 2 and 3, which will allow easier notations. Again, wewill assume the field K to be perfect, although most results will hold as well if Kwould be imperfect. For a more general approach, see [Sil09].

3.1 Group Law on Elliptic Curves

Elliptic curves are curves of genus one over a given fieldK with a specified base point.They are defined as the projective variety in P2(K) associated with a homogeneousequation in three variables, although it is customary to write the equation in affineform.

Definition 3.1. An elliptic curve E over a field K of characteristic different from2 and 3 is an algebraic curve defined by a Weierstraß equation of the form

E : y2 = x3 + Ax+B,

with A,B ∈ K, such that 4A3 + 27B2 6= 0.

If K is not algebraically closed, the points of E are considered to be in K. Thepoints defined over K are called the rational points of E and will be denoted asE(K). To avoid confusion, we may also sometimes refer to the points of E as E(K).

The condition 4A3 + 27B2 6= 0 in the above definition implies that the equationx3 + Ax + B = 0 has no repeated roots over K. So by definition we require anelliptic curve to be nonsingular.

When the equation is considered in projective space, i.e. y2z = x3 +Axz2 +Bz3,we see that we have an extra point [0 : 1 : 0]. This point is referred to as the point atinfinity and will be denoted OE. This point at infinity allows us to equip the set of

9

3.1. GROUP LAW ON ELLIPTIC CURVES

P

Q

P+Q

-(P+Q)

(a) Adding two distinct points.

P

P+P

-(P+P)

(b) Adding a point to itself.

Figure 3.1: The geometric interpretation of the group law of an elliptic curve.

points of E with an operation such that it turns into a group. The group operationis commonly referred to as the chord-and-tangent method and a visualization in thereal plane is given in Figure 3.1. The group law is commutative so will be denotedby a plus sign and works as follows.

For points P,Q ∈ E we draw the line through P and Q and define the thirdpoint of intersection of E with this line to be −(P +Q). Flipping this point aroundthe x-axis we get the point P +Q. If P equals Q, the line through P and P is thetangent line at E in P . If Q equals OE, then the line through P and OE is thevertical line through P such that P + OE = P . So the point at infinity plays therole of identity element in our group.

Proving that this turns the points of E into a group is not completely trivial,especially the associativity property. It can be done by explicit computation or byusing properties of the projective plane. See [ST92, Section 1.2] for a proof. The setof rational points of E is not just a subset of the set of points of E, but a subgroupas well. This property is used in classical elliptic curve cryptography applications.

Furthermore for n ∈ N\{0} and P ∈ E we will use the notation

[n]P = P + P + . . .+ P︸︷︷︸n times

.

This can easily be extended to n ∈ Z by defining [0]P = OE and for n < 0 we define[n]P = [−n](−P ). We will write E[n] for the kernel of the scalar multiplication map[n], i.e.

E[n] = {P ∈ E(K) | [n]P = OE}.These notations give rise to the following definition.

Definition 3.2. Let E be an elliptic curve over K and n ∈ Z. An element P ∈ E[n]is called an n-torsion point of E.

The n-torsion points of an elliptic curve are well understood.

Theorem 3.1. Let E be an elliptic curve over K and n ∈ Z\{0}.

• If char(K) - n then E[n] ∼= (Z/nZ)2.

10

3.2. ISOGENIES

• If char(K) = p > 0 then there are two options for the pe-torsion points:

E[pe] ∼={{OE} for all e ≥ 1, or

Z/peZ for all e ≥ 1.

Proof. See [Sil09, III, Corollary 6.4].

It is remarkable that if E[pe] is trivial for one value of e, it is trivial for allvalues of e. This means it suffices to verify the p-torsion points to find a completecharacterization. The distinction between the two cases will be of particular interestto us so we will assign a name to them.

Definition 3.3. Let E be an elliptic curve over K where char(K) = p > 0. Theelliptic curve E is called ordinary if E[p] ∼= Z/pZ, and supersingular if E[p] = {OE}.

The term supersingular is somewhat unfortunate. By definition an elliptic curveis nonsingular so it does not refer to the smoothness of the curve. It was chosen forhistoric reasons to refer to an exceptional curve. The nomenclature is well establishedhowever, so we will make use of it.

When an elliptic curve E is defined over a finite field Fpr , the property of beingsupersingular can be determined from its Weierstraß equation. More precisely, if Eis given by the equation y2 = x3 + Ax + B, then E is supersingular if and only ifthe coefficient of xp

r−1 in (x3 + Ax+B)(pr−1)/2 is zero.

3.2 Isogenies

Elliptic curves can be seen both as algebraic varieties and as groups. Ideally ifwe define maps on them we would like those maps to preserve both structures.Fortunately that will not be hard to enforce.

Let us look at maps given by linear changes of coordinates first, since theseare invertible. Because linear maps preserve lines, it is easily seen that they alsopreserve the group operation we defined. If these maps also preserve the Weierstraßequation, it can be shown that they must be of the form

(x, y) 7→ (u2x′, u3y′)

for some u ∈ K×. For a proof of this statement, see [Sil09, Chapter III, Proposi-tion 3.1]. In order to easily recognize isomorphic elliptic curves, we introduce thefollowing definition and accompanying theorem.

Definition 3.4. Let E be an elliptic curve over K given by the equation y2 =x3 + Ax+B. Then the j-invariant of E is given by

j(E) = 17284A3

4A3 + 27B2.

Theorem 3.2. Let E1 and E2 be elliptic curves over K. Then E1 and E2 areisomorphic over K if and only if j(E1) = j(E2).

Proof. See [Sil09, III, Proposition 1.4].

11

3.2. ISOGENIES

Note that the denominator in the definition of the j-invariant is never zero sincewe defined an elliptic curve to always be smooth. For any given j-invariant itis easy to construct an elliptic curve with that j-invariant. If j is 0 or 1728 thenrepresentatives for the classes of isomorphic elliptic curves are given by the respectiveequations y2 = x3 +1 and y2 = x3 +x. In all other cases a representative is given byy2 = x3 + 3j

1728−jx+ 2j1728−j . Since isomorphic objects can be considered equal in this

discussion, we can label isomorphism classes of elliptic curves by their j-invariantbecause of the previous theorem. We now take a look at more general maps.

Definition 3.5. Let E1 and E2 be elliptic curves over K. An isogeny φ : E1 → E2

is a non-constant regular map of curves such that φ(OE1) = OE2.

It may seem more intuitive to define a map between elliptic curves as a grouphomomorphism first, since that restriction seems harsher. A map that preserves thegroup operation always preserves the neutral element, but the following theoremshows that in the case of elliptic curves the converse is true as well.

Theorem 3.3. Let φ : E1 → E2 be a regular map between elliptic curves. Then φis an isogeny if and only if φ is a non-constant group homomorphism.

Proof. See [Sil09, III, Theorem 4.8].

So it suffices to have a regular map that sends the neutral element to the neutralelement in order to preserve the group structure of elliptic curves. A non-constantregular map of smooth algebraic curves is surjective and induces a finite field ex-tension of functions fields [Har13, II, Proposition 6.8]. This observation leads to thefollowing definitions.

Definition 3.6. The degree of an isogeny φ : E1 → E2, denoted deg(φ), is thedegree of the finite field extension of function fields [K(E1) : φ∗K(E2)]. An isogenyof degree l is called an l-isogeny. We say that an isogeny φ is (in)separable if thefunction field extension is (in)separable.

The following theorem says that separable isogenies can be identified with theirkernel.

Theorem 3.4. If φ : E1 → E2 is an isogeny, then kerφ is a finite group. Alterna-tively if Φ is a finite subgroup of an elliptic curve E1, then there exists an ellipticcurve E2, unique up to isomorphism over K, and a separable isogeny φ : E1 → E2

such that kerφ = Φ.

Proof. See [Sil09, III, Corollary 4.9 and Proposition 4.12]

In particular if φ is a separable isogeny then # kerφ = deg(φ). When given afinite subgroup Φ ≤ E, we will denote the unique elliptic curve E2 from the previoustheorem by E/Φ. This correspondence between isogenies and finite subgroups isimportant since it allows us to write the maps compactly. Any 2-isogeny withdomain a given elliptic curve E for example is completely determined by a single 2-torsion point P ∈ E and we can write the image as E/〈P 〉. More generally it followsfrom Theorem 3.1 that if l is a prime different from the characteristic of the fieldK, then there are precisely l + 1 subgroups of E[l] of order l. So by the previoustheorem, each of these subgroups corresponds to a different isogeny of degree l.

12

3.3. SUPERSINGULAR ISOGENY GRAPHS

Algorithms to translate the isogeny φ from a description by its kernel to a rationalmap are given by Velu’s formulas [Bos+08].

We conclude this section with the following theorem.

Theorem 3.5. Let φ : E1 → E2 be an isogeny of degree n. Then there exists aunique isogeny φ : E2 → E1 such that the composition with φ is multiplication by n,i.e. φ ◦ φ = [n] : E1 → E1. Additionally, deg(φ) = n and φ ◦ φ = [n] : E2 → E2.

Proof. See [Sil09, III, Theorem 6.1 and 6.2].

The isogeny φ is called the dual isogeny. It can be used to show that deg([n]) =n2. It also implies that being isogenous over K is a well-defined equivalence relationon the set of K-isomorphism classes of elliptic curves defined over K. Similarlyit can be proved that being l-isogenous, where l corresponds to the degree of anisogeny, is a well-defined equivalence relation.

3.3 Supersingular Isogeny Graphs

With the info from the previous section, we will now construct a graph G fromsupersingular elliptic curves. We will restrict ourselves to work over a finite fieldFpr , where p is typically large. The following theorem tells us something aboutsupersingular elliptic curves over these finite fields.

Theorem 3.6. Let E be a supersingular elliptic curve over Fpr . Up to Fpr- iso-morphism, E can be defined over Fp2. If p = 3 then there is one supersingularelliptic curve. For all other p, the amount of supersingular elliptic curves, up toFpr-isomorphism, is given by

⌊ p12

⌋+

0 if p ≡ 1 mod 12,

1 if p ≡ 5, 7 mod 12,

2 if p ≡ 11 mod 12.

Proof. See [Sil09, III, Theorem 3.1 and Theorem 4.1]

The amount of supersingular elliptic curves over a field of characteristic p isapparently polynomial on residue class and they can all be defined over Fp2 . Theprecise formula will not be used, but it is important to note that we can createarbitrary large sets of j-invariants of supersingular elliptic curves over a finite fieldby just increasing the size of p.

We now define the graph G(p, l), where l does not equal p and l is typicallysmall. The vertex set V is the set of isomorphism classes over Fp of supersingularelliptic curves over the finite field Fp2 . By the previous theorem, this is a finite setof vertices.1 The vertices will be labeled by their j-invariants.

The edge set E of G(p, l) is defined as follows. For a given vertex j1 choosean elliptic curve E1 with that j-invariant. Find a subgroup Φ1 of E1 of order land connect j(E1) to j(E1/Φ1) = j(E2) by an edge. These edges correspond to

1Note that the definition of a graph does not technically forbid the use of an infinite set, but alot of properties for graphs fail to hold in that case.

13


l-isogenies which are one-way maps hence we end up with a directed graph. By theduality there is an l-isogeny back which means we can turn this into an undirectedgraph. The problem with this is that there may not be a canonical way to identifyE1/Φ1 with E2. This problem stems from the fact that elliptic curves with j-invariant 0 or 1728 have automorphisms different from ±1. If we assume p ≡ 1(mod 12) however, then these j-invariants do not occur and all elliptic curves have±1 as their only automorphisms. This implies there is a canonical choice of Φ2 ≤ E2

such that E2/Φ2∼= E1 since the dual isogeny to −φ is minus the dual isogeny of φ.

The condition p ≡ 1 (mod 12) does not constitute noticeable restrictions in practiceso we will assume this limitation to be true.

As we have argued before, each elliptic curve has exactly l + 1 subgroups oforder l, hence continuing the process of adding all j-invariants from isogenies weend up with an (l + 1)-regular graph. This statement hides a small subtlety. Everysubgroup Φi ≤ E of order l gives rise to a unique l-isogeny. However, there is noreason to assume that all the images E/Φi have a different j-invariant, nor that theyare different from j(E) itself. The previous theorem for example says that for p = 3we only have 1 supersingular elliptic curve. Hence the graph G(3, 2) consists of just1 vertex with 3 (distinct) loops from the vertex to itself. The edge set E however,is a set and so G(3, 2) would be reduced to just 1 vertex with 1 loop. Sometimesthe edge set E is defined to be a multiset, allowing multiple distinct edges betweentwo vertices (also called parallel edges). A graph like that is then referred to as amultigraph. For our discussion however, this distinction is not important and wewill just refer to it as a graph.

The graphs G(p, l) have more interesting properties than just being finite.

Theorem 3.7. A G(p, l) graph is an (l + 1)-regular connected Ramanujan graph.

Proof. See [CGL09; Piz90].

In conclusion our constructed graphs G(p, l) are finite connected (l + 1)-regulargraphs, with vertex set the j-invariants of all supersingular elliptic curves over Fp2and edge set the l-isogenies between them. Furthermore, if l is small then theadjacency matrix is sparse (the associated graph is commonly referred to as sparseitself), while the graph is still highly connected because of the Ramanujan property.

There are multiple reasons we work with supersingular elliptic curves insteadof ordinary ones. A first one is that it allows us to work in a finite graph wherefurthermore all j-invariants are defined over Fp2 . This results in faster computationssince we know the bound of the field we work over. A second reason is that in theordinary case, a graph constructed in a similar way does not result in an expandergraph. The only way to enforce this for ordinary elliptic curves is to allow multiplevalues of l, which obviously complicates the computations. Another reason is thatwe want the 2-torsion points to be defined over the field we work over, since thisimplies that all computations can then be done over this same field. A sufficientcondition for this is working over the field Fp2 , which is an immediate consequence ofusing supersingular elliptic curves with zeta function that have numerator (pT −1)2

specifically.2 Another reason for not working with ordinary elliptic curves is that

2The link between this zeta function and working over Fp2 is not trivial at all. In order toexplain it more thoroughly though, we would need to introduce a lot of new concepts. For thatreason we will just refer to the completely analogous discussion regarding this in section 4.3.

14

3.4. SUPERSINGULAR ISOGENY DIFFIE-HELLMAN

maneuvering in their isogeny graphs can be exploited in a way that is impossiblewith supersingular isogeny graphs. This impedes the security of the hash functionbut we will not elaborate on that.

In order to turn this graph into a CGL hash function it suffices to fix a startingvertex and an ordering for the outgoing isogenies from every vertex. The output forour hash function is then the j-invariant of the ending vertex. A typical choice forordering is the x-coordinates of the generators of the l + 1 l-torsion subgroups inFp2 . The case where l = 2 is particularly interesting since it results in a 3-regulargraph and hence by disallowing backtracking, we obtain a binary hash function asdiscussed in the example in section 2.3. This implies that an input with length nbits results in a walk of length n in our graph. Furthermore the computations forl = 2 are rather easy. This stems from the fact that the 3 subgroups of order 2 aredetermined by (αi, 0) where

y2 = x3 + Ax+B = (x− α1)(x− α2)(x− α3)

is the equation of the elliptic curve E1. If we want to compute the isogeny φ thatcorresponds to taking the quotient by for example (α1, 0), Velu’s formulas say thatthe image of the isogeny is then the elliptic curve E2 given by the equation

y2 = x3 − (4A+ 15α21)x+ (8B − 14α3

1).

Additionally φ(α2, 0) = φ(α3, 0) and taking the quotient by this element of E2

corresponds to the dual isogeny φ taking us back to E1. We want to avoid thisspecific type of backtracking, so in our equation for E2 we can factor out (x− α2),where α2 is the x-coordinate of φ(α2, 0) given by

α2 = α2 +3α2

1 + A

α2 − α1

.

This leaves us with just a quadratic polynomial that we need to find the roots ofinstead of a cubic one.

So in summary, at every step of the hash function we need to factor a quadraticpolynomial, choose one of the roots to take the quotient by (with a fixed ordering inmind), calculate the resulting elliptic curve and divide out the factor correspondingto the image of the roots that we did not choose.

3.4 Supersingular Isogeny Diffie-Hellman

In this section we briefly discuss the Supersingular Isogeny Diffie-Hellman key ex-change protocol (SIDH), that was first discussed in [JDF11]. In essence, this protocolworks in a graph constructed similar to G(p, l) so a lot of the theory behind it hasalready been discussed. We will start by explaining what a classical Diffie-Hellmankey exchange protocol is in general. This protocol allows two parties to agree to ashared secret key over an insecure channel.

From a mathematical point of view it makes most sense to explain while workingin a finite group G with generator g and order n. These parameters G, g and n arepublic knowledge, known to anyone that has access to the (insecure) channel. Thegroup G needs to have the property that gk is easy to calculate for any k ∈ Z, yet,

15


given both g and gk, it should be hard to find k. Alice starts the protocol by pickinga secret key kA ∈ {1, . . . , n − 1} and Bob does the same with kB ∈ {1, . . . , n − 1}.Alice and Bob calculate gkA and gkB respectively and exchange this over the insecurechannel. Now they can both calculate (gkA)kB = gkAkB = (gkB)kA . This shared newelement of G is their secret key. The idea behind the security is that (in certaingroups) it is computationally infeasible to calculate gkAkB when given only g, gkA

and gkB .

While this classical Diffie-Hellman key exchange protocol for groups is commonlyused in practice, Shor provided an algorithm that could break it on a quantumcomputer [Sho99]. This is one of the main motivations behind SIDH and otherpost-quantum cryptography algorithms. While SIDH is clearly based on the classicalDiffie-Hellman key exchange protocol, it still has some fundamental differences. Oneof these is the lack of symmetry: Alice will work with À-isogenies and Bob will workwith `B-isogenies.

We will now take a closer look at SIDH and start by fixing the public parameters.They are given by p, E0, (PA, QA) and (PB, QB) such that

• p is of the form èAA èBB · f ± 1, where À and `B are small primes (typically 2

and 3) and f is a (small) cofactor such that p is prime (f can assumed to be1 for the sake of simplicity),

• E0 is a supersingular elliptic curve defined over Fp2 such that

E0(Fp2) ∼= ZèAA èBB f ⊕ ZèAA `

eBB f ,

• the points PA, QA ∈ E0 generate the èAA -torsion, i.e.

〈PA, QA〉 ∼= E0[èAA ] ∼= ZèAA ⊕ ZèAA ,

• the points PB, QB ∈ E0 generate the èBB -torsion, i.e.

〈PB, QB〉 ∼= E0[èBB ] ∼= ZèBB ⊕ ZèBB .

Note that these last two conditions imply that PA, QA, PB, QB are defined over Fp2since all èAA - and èBB -torsion is defined over Fp2 . Next, Alice proceeds as follows:

1. She chooses two random integers mA, nA ∈ {0, . . . , èAA } such that at most oneof them is divisible by à. She then uses the group 〈[mA]PA+[nA]QA〉 as kernelfor an isogeny φA : E0 → EA.

2. She computes (φA(PB), φA(QB)) and sends this pair to Bob over the insecurechannel, together with the elliptic curve EA.

Bob proceeds completely analogously and sends (φB(PA), φB(QA)), as well asEB, to Alice. Next, Alice computes an isogeny φ′B : EA → EAB with kernel〈[mA]φB(PA) + [nA]φB(QA)〉. Bob does the same with an isogeny φ′A : EB → EBAthat has kernel 〈[mB]φA(PB) + [nB]φA(QB)〉. The following diagram illustrates thisexchange.

16


EA

EAB

E0

EBA

EB

φ′B

φA

φB

φ′A

The clue is that it can be proved that the resulting elliptic curves EAB and EBAare the same up to isomorphism. More precisely:

EAB = EBA = E0/〈[mA]PA + [nA]QA, [mB]PB + [nB]QB〉.

This means that Alice and Bob can now use j(EAB) as their secret key. One maywonder why Alice and Bob need to share additional information besides EA and EBto compute a shared secret key, or why we need to work with supersingular ellipticcurves. Briefly, isogenies are in one-to-one correspondence with nonzero left idealsof the endomorphism ring of the elliptic curve. In the ordinary case, these endo-morphism rings are commutative, whereas in the supersingular case they are not (infact, this non-commutativity can be used as an alternative definition for supersin-gular elliptic curves). In the ordinary case this means we work with ideals (insteadof just left ideals) and apparently endomorphism rings (mostly) remain the samewhen applying isogenies, while composing isogenies corresponds to multiplying ide-als. Since this multiplication commutes, the additional information PA, QA, PB, QB

would not be needed if one were to create a similar protocol with ordinary super-singular elliptic curves. The commutative structure however has been exploited tocreate a sub-exponential attack (see [CJS14]). In the supersingular case, the non-commutative endomorphism rings do change when applying isogenies and hence,such a property does not exist. This implies that we need to keep working with thecurves themselves, such that the aforementioned extra info is needed. For more infoabout SIDH we refer the interested reader to for example [Tho17].

17

Chapter 4

Hash Functions fromSupersingular HyperellipticCurves

In this chapter we will generalize the notions of the previous chapter for curvesof higher genus. We define (supersingular) hyperelliptic curves of genus two anda group operation on them in section 4.1. In section 4.2 we explain how we canconstruct a specific type of isogeny between these types of curves. In section 4.3 weconstruct a graph from the concepts in the previous sections and explain how wecan turn this into a CGL hash function. Throughout this chapter, we will work overa perfect field with characteristic different from two.

4.1 Genus two curves and their jacobian

Just as elliptic curves, hyperelliptic curves of genus two over a given field K aredefined as the projective nonsingular model of a curve in A2(K). We will againrestrict ourselves to give the equations in affine form to ease up on the notation.

Definition 4.1. A hyperelliptic curve of genus two, say H, over a field K of char-acteristic different from two, is an algebraic curve defined by an equation of theform

H : y2 = f(x),

where f(x) is a squarefree polynomial in K[x] of degree 5 or 6.

It can be proved that any smooth projective genus two curve over K is isomorphicto a hyperelliptic curve of genus two over K (as in the above definition). For thatreason we can simply refer to them as genus two curves. If α is a root of f(x),then we call (α, 0) a Weierstraß point . Given that we defined f(x) to be squarefree,it follows that a hyperelliptic curve of genus two is by definition smooth. We willsometimes denote the polynomial f(x) by fH .

If fH is of degree 5 and 0 is not a root of fH , then we can use the change ofvariables

x 7→ 1/x, y 7→ y/x3

to transform the curve to have an equation y2 = fH with fH of degree 6. If 0 is a rootof fH we can simply apply a translation before using the same change of variables.

18

4.1. GENUS TWO CURVES AND THEIR JACOBIAN

P

Q?

??

(a) A line does not necessarily intersect agenus two curve in exactly three points.

Q1

Q2

-R1

R1

-R2

R2

P2

P1

(b) The element P1+P2 gets added to Q1+Q2 resulting in R1 +R2.

Figure 4.1: The geometric interpretation of the group law of a genus two curve. Acubic through two pairs of points intersects the genus two curve in another pair ofpoints.

All of this is under the assumption that K has more than five points of course, butin our application this will always be the case. This means that in essence there islittle difference between the polynomial fH having degree 5 or 6 and we can use therepresentation that is easiest to work with given the context.

One of the noticeable differences is the points at infinity. If fH is of degree 5 thenthe nonsingular projective model of H has a unique point at infinity OH (which is aWeierstraß point). If fH is of degree 6 however, there are two points at infinity, sayOH and O′H (which are not Weierstraß points). In this case if the leading coefficientof fH is a square then both these points are defined over K. If not, then they aredefined over a quadratic extension of K. Regardless of the degree of fH however,we always have six Weierstraß points.

As soon as we draw a curve like this in the real (affine) plane to try to extendthe group law of elliptic curves, we see that we run into an issue. An example ofthis is shown in Figure 4.1a. A line through two points no longer intersects a genustwo curve in a unique third point, nor is there an obvious choice to pick one of thesepoints so this seems like a dead end.

There is an algebraic way to derive a group from a genus two curve but we willfirst give the geometric meaning behind it. We will no longer take a single point aselement of the group, but rather two points. We will then define the group operationto be coefficient-wise, e.g. (P +Q)⊕ (Q+R) = (P +2Q+R). This would obviouslylead to longer and longer representations of group elements. To combat this, wewill reduce the newly formed element to be one consisting of two points again. Thisreduction will be obtained by working modulo sums of points that lie on graphs ofcertain functions. In our case this will be the cubic through the original four points,where by cubic we mean the graph of an equation of the form y = c(x) with c apolynomial of degree three. An example of this can be seen in Figure 4.1b. Sinceeverything will turn out to be commutative, the ⊕ will be denoted simply by aregular plus sign. Exceptional cases such as the point(s) at infinity or coincidingpoints obviously lead to slightly different constructions. We will omit those specialcases and just go to the algebraic explanation behind it.

19

4.1. GENUS TWO CURVES AND THEIR JACOBIAN

The group law is derived from the (principal) divisors that we defined in section2.1. The set of principal divisors forms a group and will be denoted PrinH . Sincethis is a subgroup of the degree zero divisors, the following definition makes sense.

Definition 4.2. Let H be a curve defined over K. The jacobian of H over K isdefined as

JH = Div0H/PrinH .

The jacobian of H over K is often referred to as the divisor class group of Hover K, and denoted by Pic0H . We will write JH(K) if we want to emphasize thatwe work with divisors defined over K and not a field extension. The jacobian isan example of an abelian variety, i.e. a projective algebraic variety that is equippedwith a group operation. A homomorphism between abelian varieties is simply analgebraic morphism that preserves the group operation. The following theoremshows that in our case it indeed suffices to work with pairs of elements.

Theorem 4.1. Let H be a genus two curve over K given by a polynomial fH ofdegree 5 such that OH is rational. Let D ∈ JH be an element different from theidentity. Then D can be written uniquely as either P1 − OH or P1 + P2 − 2OH ,where P1 and P2 are points of H with different x-coordinates. Additionally, in theformer case P1 is defined over K, while in the latter case either P1 and P2 are definedover K or they are Galois-conjugated.

Proof. See [MWZ96].

Note that in the case where fH is a polynomial of degree 6, there is a similarresult where the general expression is of the form P1+P2−OH−O′H . To ease up thenotation, we will omit the formal terms −OH and −2OH at the end of the divisorrepresentatives when talking about elements of the jacobian. We will however makea clear distinction between the points of a curve H and elements of its jacobianJH (which consist of a combination of at most two points of H). Most of the timethe meaning should be clear from the context. For computational purposes thereare more convenient ways of representing the elements of JH . A common methodis called the Mumford representation, which uses a pair of polynomials rather thanpoints. For more information see for example [Coh+05].

Completely analogously to the case of elliptic curves we can use the notation[n]D for the element that is defined by adding n instances of the element D. Wewill once again write JH [n] for the kernel of this multiplication map, i.e.

JH [n] = {D ∈ JH(K)|[n]D = 0},

and refer to this as the n-torsion of JH . Elements of this subgroup are called n-torsion elements of H. We finish this section with the analogue of Theorem 3.1 andthe definition of supersingularity, which is equivalent to the one for elliptic curves.

Theorem 4.2. Let H be a genus two curve defined over K and n ∈ Z\{0}.

• If char(K) - n then JH [n] ∼= (Z/nZ)4.

• If char(K) = p > 0 then JH [pe] ∼= (Z/peZ)r, with r ∈ {0, 1, 2}, for all e ≥ 1.

Proof. This is the specific case g = 2 of [Coh+05, Theorem 14.11].

20

4.2. ISOGENIES

Definition 4.3. Let H be a hyperelliptic curve over K where char(K) = p > 0.The curve H is called supersingular if JH [p] = {0} and ordinary if JH [p] 6= {0}.

Just as in the case of elliptic curves, the condition JH [p] = {0} implies thatJH [pe] = {0} for all e ≥ 1. The condition that JH [p] is trivial is commonly referredto as H having p-rank zero.1

4.2 Isogenies

It can be shown that any isomorphism between hyperelliptic curves of genus twogiven by polynomials of degree 5 is of the form

(x, y) 7→ (u2x′ + b, u5y′ + a2x′2 + a1x

′ + a0),

where u ∈ K× and a0, a1, a2, b ∈ K. Obviously these isomorphisms preserve thegroup operation of the jacobians as well. Once again we can identify isomorphismclasses of genus two curves with an invariant, except in this case we will need anordered triple of elements. These invariants are due to Cardona, Quer, Nart andPujola and will be referred to as the G2-invariants. Unfortunately the formulasare given in terms of the J-invariants by Igusa and are therefore rather elaborate.As we will not need these specific formulas we will omit listing them and refer theinterested reader to [CQ05] for a discussion when p is an odd prime. For us it sufficesto know that there is a one-to-one correspondence between K-isomorphism classesof genus two curves and triples in K3. For more general maps between genus twocurves we have the following definition.

Definition 4.4. Let H1 and H2 be hyperelliptic curves of genus two over K. Anisogeny φ : JH1 → JH2 is a surjective homomorphism of abelian varieties such thatkerφ is finite.

Again we say that φ is separable if the finite field extension of function fields[K(JH1) : φ∗K(JH2)] is separable. The structure theorem for finite abelian groupstells us that the following definition is consistent.

Definition 4.5. Let H1 and H2 be hyperelliptic curves of genus two over K andφ : JH1 → JH2 an isogeny between their jacobians. We say that φ is an (n1, . . . , nr)-isogeny if

kerφ ∼= Zn1Z× . . .× Z

nrZ.

The property of dual isogenies still applies to hyperelliptic curves so being isoge-nous is again a well-defined equivalence relation. We now take a look at a veryspecific type of isogenies. They are called the Richelot isogenies and correspond to(2, 2)-isogenies from the previous definition. For the sake of implementation it isimperative that we know how they are constructed exactly. We will introduce thenotion of quadratic splittings and follow the outline of [Smi+05]. For the remainder

1It is worth noting that supersingularity for curves of arbitrary genus is defined differently. Forcurves of genus two and one however, the more general definition coincides with having p-rankzero. From genus three onwards, this is no longer the case.

21

4.2. ISOGENIES

of this section we will fix a hyperelliptic curve of genus two H defined over K givenby the equation

H : y2 = fH =6∏

i=1

(x− αi),

where the αi are possibly in some extension of K. The case where fH is of degree 5can be addressed similarly with one factor being ‘0 · x+ 1’, although we will mainlywork with fH being of degree 6 in the upcoming discussion. We have the followingfirst observation.

Proposition 4.1. Let φ : JH → JH′ be an isogeny between the jacobians of hyper-elliptic curves of genus two. If kerφ is a proper non-trivial subgroup of JH [2], thenφ is a (2, 2)-isogeny.

Proof. This is a consequence of [Smi+05, Lemma 8.1.1].

We will call the kernels of such (2, 2)-isogenies (2, 2)-subgroups.

Proposition 4.2. Each non-trivial element of JH [2] can be uniquely represented bya pair of distinct Weierstraß points of H.

Proof. See [Smi+05, Lemma 8.1.3].

If P = (a, 0) and Q = (b, 0) are Weierstraßpoints of H, then 2P −2Q = div((x−a)/(x − b)) holds. Hence up to principal divisor we have that P − Q and Q − Pare equal and therefore they represent the same element in JH . The Weil pairing ofthe divisors P − Q and R − S is defined by the expression (−1)#{P,Q,R,S}. We saythat a subgroup of JH is maximal isotropic with regards to the Weil pairing if theWeil pairing of any two elements in the group equals one and the group can not bemade larger without losing this property. It turns out that (2, 2)-subgroups can becharacterized as subgroups isomorphic to Z

2Z × Z2Z that are maximal isotropic with

regards to the Weil pairing.Recall that the Weierstraß points are completely determined by the roots of fH ,

so every quadratic factor a(x−αi)(x−αj) determines an element of JH [2]. A (2, 2)-isogeny is determined by a kernel of size four, so we want three non-trivial elementslike this. There are

(62

)= 15 ways to pick a quadratic factor, so 15 · 14 · 13/3!

total ways of picking three distinct elements. A lot of those do not correspond to(2, 2)-subgroups of JH [2] however. We have the following property.

Proposition 4.3. The (2, 2)-subgroups of JH [2] can be represented as sets of quadraticfactors of fH that are pairwise coprime.

Proof. This is a consequence of [Smi+05, Lemma 8.1.3].

The previous proposition translates the requirement for the (2, 2)-subgroups tobe maximal isotropic with regards to the Weil pairing to the quadratic factors beingpairwise coprime. Indeed, if two quadratic factors would share one root we wouldhave (−1)#{P,Q,R} = −1 for Weierstraß points P , Q and R, invalidating one of therequirements to be maximal isotropic.

The previous proposition clearly explains the name quadratic splitting as well.We will now show how to construct the image genus two curve that is determinedby this quadratic splitting.

22

4.2. ISOGENIES

Denote by K[x]2 the K-vector space of polynomials of degree at most two. LetG = (g1, g2, g3) be an element of K[x]32, with gi = ai,3x

2 +ai,2x+ai,1 for i ∈ {1, 2, 3}.We then define the following maps:

det : K[x]32 → K

G 7→ det

a1,1 a1,2 a1,3a2,1 a2,2 a2,3a3,1 a3,2 a3,3

,

Π : K[x]32 → K[x]

G 7→ g1g2g3.

We remark that Π−1(fH) is the set of ordered factorizations of fX into three poly-nomials of degree at most two. If fH is given by a polynomial of degree 5, thenthe factorization is one into two quadratic factors and a linear factor. From thispoint onwards a linear polynomial in this context should be viewed as a quadraticwith one root ‘at infinity’. With this convention, each element of Π−1(fH) thereforerepresents a (2, 2)-subgroup of JH [2].

We define an equivalence relation∼ onK[x]32 as follows: (g1, g2, g3) ∼ (g2, g3, g1) ∼(g3, g1, g2) as well as (g1, g2, g3) ∼ (αg1, βg2, γg3) for α, β, γ ∈ K× with αβγ = 1.We can now define the set of quadratic splittings properly.

Definition 4.6. Let H be the set of all squarefree polynomials of degree 5 or 6 overK. The set of quadratic splittings is then defined as

S = (Π−1(H))/ ∼,

where the equivalence relation ∼ is defined as mentioned above.

The previously defined maps det : K[x]32 → K and Π : K[x]32 → K[x] inducewell-defined maps det : S → K and Π : S → H. We will write Sf for the setof quadratic splittings of f ∈ H, i.e. Sf = Π−1(f). We define the negative ofG = [(g1, g2, g3)] ∈ S as

ν([(g1, g2, g3)]) = [(g1, g3, g2)].

The quotient of Sf by this map ν : S → S will be denoted |Sf |. For G ∈ Sf wewill correspondingly denote its image in |Sf | by |G| and call this |G| an unsignedquadratic splitting of f . Since f is assumed squarefree, no quadratic splitting isits own negative hence an unsigned quadratic splitting corresponds to exactly twoquadratic splittings. We then have the following theorem.

Theorem 4.3. Let H be a hyperelliptic curve of genus two over K given by y2 =f(x). The rational (2, 2)-subgroups of JH [2] are in bijection with the unsignedquadratic splittings of fH .

Proof. See [Smi+05, Proposition 8.2.3].

Note that we have not made use of the map det : S → K yet. We will saythat a quadratic splitting G is singular if det(G) = 0 and nonsingular otherwise.The set of nonsingular quadratic splittings will be denoted as Sns and the set ofnonsingular quadratic splittings of f as Sns

f . A singular quadratic splitting is a

23

4.2. ISOGENIES

rather rare occurrence. We will eventually prove that for fields with characteristiceither 0 or at least 13 there are at most six singular quadratic splittings for anygiven polynomial of degree 5 or 6 (and most often there are none at all). Hencethe singular quadratic splittings are an exceptional case, as can be seen from thefollowing theorem as well.

Theorem 4.4. Let H be a hyperelliptic curve of genus two defined over K. IfG is a singular quadratic splitting of fH then the corresponding (2, 2)-subgroup ofthis splitting determines an isogeny to a hyperelliptic curve of which the jacobian isisomorphic to a product of two elliptic curves.

Proof. See [Smi+05, Proposition 8.3.1].

Hyperelliptic curves that are isomorphic to a product of supersingular ellipticcurves will come back later so we will give them a name.

Definition 4.7. Let H be a hyperelliptic curve of genus two defined over K. Wesay that the jacobian JH is superspecial if there exist supersingular elliptic curves E1

and E2 such thatJH ∼= E1 × E2.

With slight abuse of terminology we will also talk about superspecial hyperellipticcurves. It is clear that if H is a superspecial hyperelliptic curve of genus two, thenit has p-rank zero so it must also be supersingular. Hence superspecial genus twocurves are a subset of the supersingular genus two curves. Conversely it is alsotrue that a supersingular genus two curve which is isomorphic to the product oftwo elliptic curves is a superspecial curve, i.e. both elliptic curves are automaticallysupersingular as well.

Note that in the more general setting we say that a hyperelliptic curve H of genusg is superspecial if its jacobian is isomorphic to a product of g supersingular ellipticcurves. In general, superspecial implies supersingular and supersingular implieshaving p-rank zero. In case of elliptic curves all three notions coincide. In case ofgenus two curves, the concepts of supersingularity and having p-rank zero are equal,but being supersingular and being superspecial are not. For hyperelliptic curves ofgenus three or higher, all three definitions are distinct.

We remark that the determinant of G = (g1, g2, g3) turning zero means thecoefficients of g1, g2 and g3 are linearly dependent. This dependency allows us towrite the supersingular elliptic curves E1 and E2 down explicitly (see for example[Smi+05, Section 8.3] or [CF96, Section 14.1]). The problem is that given E1 andE2 such that JH ∼= E1 × E2, there is no easy known way to construct H. We willomit this case for now and focus on the nonsingular quadratic splittings. We firstdefine the anticommutative, bilinear structure given by the bracket

[f, g] =df

dx· g − f · dg

dx.

Definition 4.8. The Richelot operator is the map

R : {G ∈ K[x]32 | det(G) 6= 0} → K[x]32(g1, g2, g3) 7→ (δ[g2, g3], δ[g3, g1], δ[g1, g2]),

where δ = det(G)−1.

24


If H is a genus two curve and G a nonsingular quadratic splitting, we will writeHG for the curve given by

HG : y2 = Π(R(G)).

We can now formulate the main theorem of this section about Richelot isogenies.

Theorem 4.5. Let H be a hyperelliptic curve of genus two over K given by y2 = fH ,and G a nonsingular quadratic splitting of fH . Then there exists a well-definedhomomorphism φG : JH → JHG

which is a (2, 2)-isogeny. Furthermore the kernelof φG is the (2, 2)-subgroup specified by the unsigned quadratic splitting |G| andφG(JH [2]) is the (2, 2)-subgroup of JHG

specified by |R(G)|.

Proof. See [Smi+05, Theorem 8.4.11].

This theorem implies a lot, such as the fact that Π(R(G)) is a polynomial ofdegree 5 or 6. Very concretely, when given a genus two curve H as product ofquadratic factors, say y2 = a(x)b(x)c(x), we know that there is a unit u ∈ K× suchthat H is (2, 2)-isogenous to the genus two curve H ′ given by

y2 = u · (b′(x)c(x)− b(x)c′(x)) · (c′(x)a(x)− c(x)a′(x)) · (a′(x)b(x)− a(x)b′(x)).

The unit u is easily calculated as a determinant of a 3 × 3 matrix, whereas therest of the expression is simple arithmetic on polynomials of degree two at most.This straightforward computation will be imperative in the next section.

While a singular quadratic splitting corresponds to an isogeny with a superspe-cial genus two curve as image, it is important to note that the converse does nothold.2 Indeed, there are nonsingular quadratic splittings that result in isogenies withsuperspecial genus two curves as image as well. Take for example the hyperellipticcurve H defined by y2 = x5−x over F132 , which is an example of a superspecial curveas proved in [IKO86]. Then we can write y2 = x(x+ 1)(x+ 5)(x+ 8)(x+ 12), wherethe quadratic splitting (x(x + 1), (x + 5)(x + 12), x + 8) results in an isogeny withimage a genus two curve H ′ defined by y2 = 10x6 + 5x5 + 7x4 + 9x3 + 4x2 + 8x+ 11.The G2-invariants of H are [2, 6, 5] and those of H ′ are [2, 6, 5] as well. This meansthey are isomorphic and hence the quadratic splitting has a superspecial genus twocurve as image as well. For an example that does not involve an automorphismof the curve, we can start with domain H again and take the quadratic splitting((x+8)(x+12), x(x+1), x+5). The resulting image of the corresponding isogeny isdefined by y2 = 6x6+x4+x3+5x2+9, which can be proved to be superspecial again(see for example [IKO86]), but has G2-invariants [7, 2, 2]. An interesting researchquestion could be to investigate Richelot isogenies that have a superspecial genustwo curve as image, to see if there are certain conditions under which the quadraticsplitting is singular. We will not take this approach and focus on the nonsingularquadratic splittings instead.

4.3 Supersingular Isogeny Graphs

Unfortunately, Theorem 3.6 has no known comparable formulation for hyperellipticcurves of genus two. More precisely, a dimension argument can be made with moduli

2Remark that this is incorrectly implied to be a two-way implication in [Smi+05].

25


spaces of curves of genus two to show that there is an infinite amount of supersingularhyperelliptic curves of genus two. We will not make use of this fact so will notelaborate on the theory of moduli spaces. Instead we will work with just a finitesubset that we can understand more easily. We will start with the hyperellipticcurve H defined over Fp2 , where p ≡ 5 (mod 8), given by the equation y2 = x5 − x.We will show that this curve is supersingular, and that if we constructively build agraph by chaining (2, 2)-isogenies starting from H, we get a finite graph.

If JH is an abelian variety then we call a homomorphism φ : JH → JH anendomorphism. The set of endomorphisms can be turned into a ring in an obviousway when we take composition of maps as multiplicative structure. We will denotethis ring by End(JH). The multiplication by n map [n] is an example of such anendomorphism so End(JH) contains at least Z. It can be shown that End(JH) isa finitely generated torsion-free Z-module (see for example [WM68]). One of theelements of this ring is of particular interest to us.

Definition 4.9. Let H be a hyperelliptic curve of genus two defined over Fq givenby an equation y2 = f(x), where f(x) has degree 5.3 Then the Frobenius morphismis given by

φq : H → H

(x, y) 7→ (xq, yq)

OH 7→ OH .

This map extends to divisor classes and we will refer to this φq : JH → JH as theFrobenius endomorphism.

It is clear that since Fq is a field, the Frobenius endomorphism is injective. Thereciprocal polynomial of the numerator of the zeta function is the characteristicpolynomial of the Frobenius endomorphism φq (see for example [Coh+05]).4 Byreciprocal polynomial we mean the polynomial with coefficients written in reverseorder, i.e. the reciprocal polynomial of

∑ki=0 aix

i is∑k

i=0 ak−ixi. With this property

in mind we can deduce the following.

Proposition 4.4. Let C be a curve of genus g over Fq. Then

#C(Fqi) = qi + 1−2g∑

j=1

αij,

where the αj are the roots of the characteristic polynomial of the Frobenius endo-morphism of C over Fq.

Proof. The proof is an easy calculation from the Weil conjectures and the relation

3If f(x) is of degree 6 then the definition needs to be slightly altered for the two points at infinity.If the leading coefficient of f(x) is a square then the points at infinity stay fixed, otherwise theyget mapped to one another by the Frobenius morphism.

4This characteristic polynomial of φq acts on the Tate module, which is a module that can beconstructed from any abelian group. This concept is outside the scope of this discussion so we willnot explore it further.

26


between the defined αj and the numerator of the zeta function:

#C(Fqi) =1

(i− 1)!

[di

dT ilog

∏2gj=1(1− αjT )

(1− T )(1− qT )

]

T=0

=1

(i− 1)!

[−(

2g∑

j=1

(i− 1)!

(1− αjT )iαij

)+

(i− 1)!

(1− T )i+

(i− 1)!

(1− qT )iqi

]

T=0

= qi + 1−2g∑

j=1

αij.

For the genus two curve H over Fp2 (with p ≡ 5 (mod 8)) given by the equationy2 = x5 − x, we will show that

Z(H(Fp2);T ) =(pT − 1)4

(1− T )(1− p2T ).

With the above discussion in mind, it suffices to work over Fp instead of Fp2 . Indeed,we can simply square the eigenvalues αj of the Frobenius endomorphism φp to obtainthose of φp2 . By the previous proposition and the Weil conjectures we already havethat the form of the zeta function is

Z(H(Fp);T ) =(1− αT )(1− αT )(1− βT )(1− βT )

(1− T )(1− qT ).

We will determine α and β by point counting arguments and will start by provingthe following proposition.

Proposition 4.5. Let H be the genus two curve over Fp2 given by y2 = x5 − x,where p ≡ 5 (mod 8). Then #H(Fp) = p+ 1.

Proof. There is only one point at infinity so it suffices to show that the amount ofaffine points of the curve over Fp is equal to p. Note that the amount of affine pointsof the curve over Fp is given by

∑

x∈Fp

((x5 − xp

)+ 1

),

where the Legendre symbol is used. Looking at this modulo p we find

∑

x∈Fp

((x5 − xp

)+ 1

)≡∑

x∈Fp

(x5 − xp

)

≡∑

x∈Fp

(x5 − x)p−12

≡∑

x∈F×p

(x5 − x)p−12 (mod p).

27


We now make the following observation:

∑

x∈Fp

xj ≡{

0 (mod p) if p− 1 - j,−1 (mod p) if p− 1 | j.

The second case is clear. For the first case write S :=∑

x∈F×p xj with g ∈ F×p a

generator (such that gj 6= 1). Then gjS =∑

x∈F×p (gx)j = S such that S = 0 aswanted.

Writing out term k of the binomial expansion of (x5−x)p−12 we see that it equals

(−1)p−12−k(p−1

2

k

)x

p−12

+4k.

In case p − 1 - p−12

+ 4k the sum we found equals zero. The case p − 1 | p−12

+ 4k

translates to 4k = λp−12

for some odd integer λ. Hence k = λp−18

, which contradictsthe fact that k ∈ N and p ≡ 5 (mod 8). So this case never happens and we eventuallyfind that ∑

x∈F×p

(x5 − x)p−12 ≡ 0 (mod p).

So we are left with the possibility of 0, p or 2p affine points over Fp. Clearly thereis at least one solution ((0, 0) works for any p) and not every value for x can havetwo distinct values for y (again clear by (0, 0) being a solution). So H has p affinepoints as wanted.

From Proposition 4.4 it then follows that

α + α + β + β = 0.

Note that there are other (simpler) ways of proving the previous proposition.This method however can be generalized and will be reused in proposition 4.6. Analternative short proof for the previous proposition goes as follows. Partition theelements of Fp into three distinct sets S1, S2 and S3, which respectively correspondto the elements of Fp such that x5 − x is a nonzero square, x5 − x is not a square,and x5 − x is zero. Since this is a partition, it is clear that #S1 + #S2 + #S3 = p.The amount of affine points of H(Fp) is then given by 2#S1 + #S3, hence it sufficesto prove that #S1 = #S2. For this we note that p ≡ 1 (mod 4) implies we have ani such that i2 = −1. Furthermore this i is not a square itself since p ≡ 5 (mod 8).Now consider the map

S1 → S2 : x 7→ ix,

which is well-defined since if x5 − x is a nonzero square, then (ix)5 − ix = i(x5 − x)is not a square. This map has S2 → S1 : x 7→ −ix as inverse and is therefore abijection, proving that #S1 = #S2 as wanted.

As said before, we will use a similar reasoning as in the longer proof in order tocount points over the field Fp2 , but will need the following theorem as well.

Theorem 4.6 (Lucas Theorem). Let m,n ∈ N and p a prime. Write m and n inbase p expansion as follows:

m = mkpk +mk−1p

k−1 + . . .+m1p+m0,

n = nkpk + nk−1p

k−1 + . . .+ n1p+ n0.

28


It then holds that (m

n

)≡

k∏

i=0

(mi

ni

)(mod p),

where we used the convention that(mn

)= 0 if n > m.

Proof. The proof is a straightforward deduction.

m∑

n=0

(m

n

)xn = (1 + x)m

=k∏

i=0

((1 + x)p

i)mi

≡k∏

i=0

(1 + xp

i)mi

=k∏

i=0

(mi∑

ni=0

(mi

ni

)xnip

i

)

=k∏

i=0

(p−1∑

ni=0

(mi

ni

)xnip

i

)

=m∑

n=0

(k∏

i=0

(mi

ni

))xn (mod p).

We now give a condition on the amount of points of H over Fp2 .

Proposition 4.6. Let H be the genus two curve over Fp2 given by y2 = x5 − x,where p ≡ 5 (mod 8). Then #H(Fp2) ≡ 1 (mod p).

Proof. Again we have one point at infinity, so it suffices to verify the amount ofaffine points of the curve over Fp2 to be divisible by p. Completely analogously asin the previous proposition, this amount of points is given by

∑

x∈F×p2

(x5 − x)p2−1

2 (mod p).

Writing the binomial expansion for term k we find that it equals

(−1)p2−1

2−k(p2−1

2

k

)x

p2−12

+4k.

The only terms in the aforementioned sum that do not vanish are those wherep2 − 1 | p2−1

2+ 4k, or k = λp

2−18

, with λ an odd integer. Note that due to the

binomial expansion, k can not be larger than p2−12

, hence λ can only equal 1 or 3.

29


We then find

∑

x∈F×p2

(x5 − x)p2−1

2 ≡ −(p2−1

2p2−18

)−( p2−1

2

3 · p2−18

)

= −2

(p2−12

p2−18

)

≡ −2

(p−12p−58

)( p−12

5p−58

)(mod p).

In the last line we used Lucas theorem with the base p expansion p2−12

= p−12p+ p−1

2

and p2−18

= p−58p+ 5p−1

8. Note that this is well defined since p ≡ 5 (mod 8).

To conclude it suffices to see that 5p−18

> p−12

such that the second binomialcoefficient is zero and hence the sum is divisible by p as wanted.

By Proposition 4.4 it then follows that

α2 + α2 + β2 + β2 ≡ 0 (mod p).

Finally we will make use of the following property as well: the amount of elementsin the Jacobian of a curve over a field is equal to the evaluation of the numerator ofthe zeta function of that curve over that same field in one. In symbols: #JH(Fp) =Z(H(Fp), 1), which in our case equals (α− 1)(α− 1)(β − 1)(β − 1).

Furthermore since p ≡ 5 (mod 8) we know that −1 is a square in Fp, hencex5 − x splits completely as x(x− 1)(x+ 1)(x− i)(x+ i), with i a root of −1. If wenow define P1 = OH, P2 = (0, 0), P3 = (1, 0), P4 = (−1, 0), P5 = (i, 0), P6 = (−i, 0),then every 2-torsion element of JH is given by Pj −Pk for 1 ≤ i, j ≤ 6. All elementswhere j and k are distinct are pairwise distinct as well by Theorem 4.1. For thecase where j equals k we always end up with 0 ∈ JH, hence the 2-torsion subgroupof JH consists of

(62

)+ 1 = 16 elements. By Lagrange’s theorem we obtain our third

condition on α and β, i.e. 16 | (α− 1)(α− 1)(β − 1)(β − 1).In summary we have

α + α + β + β = 0

α2 + α2 + β2 + β2 ≡ 0 (mod p)

16 | (α− 1)(α− 1)(β − 1)(β − 1).

By the Weil Conjectures we can write α =√peiθ and β =

√peiψ. The conditions

then turn into

cos θ + cosψ = 0

cos(2θ) + cos(2ψ) ∈ Z16 | (α− 1)(α− 1)(β − 1)(β − 1).

The second condition implies that cos(2θ) + cos(2ψ) ∈ {−2,−1, 0, 1, 2} since cosineis bounded in absolute value by 1. Using double angle formulas and substitutingthe first equation into the second we find that 4 cos2 θ ∈ {0, 1, 2, 3, 4}.

Case 1: 4 cos2 θ = 0. In this case (α− 1)(α− 1)(β − 1)(β − 1) = (p+ 1)2. Butp ≡ 5 (mod 8) was given so (p+ 1)2 ≡ 4 (mod 16), which is a contradiction.

30


Case 2: 4 cos2 θ = 1. In this case (α − 1)(α − 1)(β − 1)(β − 1) = p2 + p + 1,hence always odd and never divisible by 16.

Case 3: 4 cos2 θ = 2. In this case (α− 1)(α− 1)(β − 1)(β − 1) = p2 + 1, hence(α− 1)(α− 1)(β − 1)(β − 1) ≡ 10 (mod 16), again a contradiction.

Case 4: 4 cos2 θ = 3. In this case (α − 1)(α − 1)(β − 1)(β − 1) = p2 − p + 1,hence always odd and never divisible by 16.

Case 5: 4 cos2 θ = 4. In this case (α− 1)(α− 1)(β − 1)(β − 1) = (p− 1)2. Butp ≡ 5 (mod 8) was given so 16 | (α− 1)(α− 1)(β − 1)(β − 1) holds.

The last case implies that we can assume α =√p = −β. So by squaring α and

β, we can conclude that the zeta function of H over Fp2 (with p ≡ 5 (mod 8)) givenby the equation y2 = x5 − x is indeed

Z(H(Fp2);T ) =(pT − 1)4

(1− T )(1− p2T ).

This means that the characteristic polynomial of the Frobenius endomorphismφp2 : JH → JH is given by

χ(φp2)(T ) = (T − p)4.By Cayley-Hamilton we know that any map satisfies its own characteristic polyno-mial, hence we have that

(φp2 − [p])4 = [0].

Since the endomorphism ring is torsion-free, it must hold that φp2 = [p]. TheFrobenius endomorphism is always injective, therefore [p] is injective as well, so wesee that H has p-rank zero and is by definition supersingular.

The condition for a divisor class D being an element of JH(Fp2) is equivalentto D being invariant under φp2 . Now take an element D ∈ JH [2]. For D to bedefined over Fp2 it is thus needed that D = φp2(D). But φp2 equals multiplicationby p, which is an odd prime, so this is always true since [2]D = 0. This impliesthat all elements of JH [2] are Fp2-rational. A profound theorem by Tate says thatif two abelian varieties over Fq are isogenous over Fq, then they have the same zetafunction. Since all elements of JH [2] are Fp2-rational, any (2, 2)-isogeny we obtainthis way is defined over Fp2 . Furthermore, the image of this isogeny has the samezeta function so we can repeat the above discussion completely for that curve.

We now construct the graph Gp as follows. The vertices of the graph are isomor-phism classes of hyperelliptic curves and will be labeled by their G2-invariants. Oneof those vertices is the starting vertex and corresponds to the G2-invariants of H,which is given by the equation y2 = x5−x and defined over Fp2 , with p ≡ 5 (mod 8).From this starting vertex, we recursively add edges and vertices by adding edges forany (2, 2)-isogeny between the corresponding genus two curves. The previous sectionand the above discussion can thus be summarized in the following theorem.

Theorem 4.7. Every vertex of the graph Gp is an isomorphism class of supersingu-lar genus two curves that contains at least one representative over Fp2. In particular,Gp is a finite, connected, 15-regular graph.

Since there is an infinite amount of supersingular genus two curves, a corollaryto this theorem is that the (2, 2)-isogeny graph of supersingular genus two curve isnot connected, in contrast to the case of elliptic curves.

31


We can now use Gp to create a CGL hash function analogously as we did forG(p, l). Unfortunately the superspecial genus two curves corresponding to the im-age of an isogeny defined by a singular quadratic splitting can not be calculatedby the formulas we discussed earlier. For that reason we will simply omit thesevertices and work in a subgraph G′p of Gp. The graph G′p starts with vertex theG2-invariants of H and we constructively add edges and vertices that correspond toRichelot isogenies that originate from a nonsingular quadratic splitting. Note thatthe graph G′p does contain at least one isomorphism class of superspecial curves, i.e.the vertex corresponding to the G2-invariant of our initial curve H (for a proof thatthis is indeed a superspecial genus two curve, see [IKO86]). We will take this as ourstarting point of the CGL hash function, which means we may not be working in anundirected graph anymore. Indeed, if the reverse (2, 2)-isogeny would correspond toa singular quadratic splitting there is no way of going back with a Richelot isogeny.This will not pose a problem but it does already highlight the fact that G′p may nolonger be a 15-regular graph. In fact, if p ≡ 5 (mod 8) then H always has at least6 singular quadratic splittings so G′p is never a 15-regular graph. For a lower boundon the amount of nonsingular quadratic splittings for an arbitrary genus two curveH we have the following result.

Proposition 4.7. Let H be a genus two curve defined over a field with characteristicdifferent from 2, 3, 5, 7 and 11. Then there are at most 6 singular quadratic splittingsof H.

Proof. The proof of this proposition makes use of a Grobner basis calculation inMagma and will be postponed to section 5.2.

This proposition tells us that any vertex in G′p has at least 9 outgoing edges. Ingeneral, when p is large, the case where there are only 9 is rare, but it can occurso we have to take this bound into account. Note that apart from vertices thatcorrespond to superspecial genus two curves, the rest of the graph is guaranteedto have undirected edges since any Richelot isogeny has a dual. Furthermore thisdual Richelot isogeny is easily found. If we start from the genus two curve givenby y2 = g1g2g3 and use the quadratic splitting (g1, g2, g3), then the image is thegenus two curve given by y2 = [g1, g2][g1, g3][g2, g3]. The dual Richelot isogeny thencorresponds exactly to this factorization, i.e. it is given by the quadratic splitting([g1, g2], [g1, g3], [g2, g3]).

Our CGL hash function then works as follows. We start at the vertex corre-sponding to H and order the 15 quadratic splittings in some way, for example bythe x-coordinates of their roots. We now verify whether the quadratic splittings aresingular or not and stop once we have found 8 nonsingular ones. We now evaluatethe first 3 bits of our input and choose the quadratic splitting that corresponds tothese 3 bits in the order that we fixed. We repeat this process for the remaining bitsbut now exclude the dual isogeny back and now order the remaining 14 quadraticsplittings. If the amount of bits is not divisible by 3 then we simply pad the inputwith one or two zeros at the front. The output is then the triple of G2-invariantscorresponding to the ending vertex.

We will finish this section with a brief discussion on the (2, 2)-isogenies that havea superspecial genus two curve as image. One may wonder why we exclude theseedges corresponding to singular quadratic splittings. As mentioned before, findingthe equations of the hyperelliptic curves E1 and E2 such that JH ∼= E1 × E2 is

32


possible with arguments analogous to Richelot isogenies, but there are no knownways of obtaining the equation of H from this unfortunately. Richelot isogeniesare not the only way to construct (2, 2)-isogenies however. Another approach thatcould be considered is working on the Kummer surface when dealing with thesesuperspecial genus two curves. This procedure may involve a lot more complicatedimplementation and longer computation time, which in turn may lead to weaknessesof our hash function to side-channel attacks. Side-channel attacks are attacks thatare based on outside information such as processing time, power consumption oreven sound analysis of the computer system itself. If our hash function would needa lot more processing time to deal with superspecial genus two curves then this couldpotentially lead to an exploit. Alternatively one could construct the hash functionto work with Kummer surfaces at every vertex instead of just the ones correspondingto superspecial genus two curves, but this may lead to computations in general beingway more convoluted compared to the simple polynomial equations we have now.

One additional concern with regards to this topic is that allowing superspecialgenus two curves in our graph may actually lead to another exploit by means offinding loops. Starting from a superspecial genus two curve H with JH ∼= E1 × E2

we can construct a non-trivial loop by means of 2-isogenies and their duals workingon the separate elliptic curves. An example of this is shown in the following diagram.

E1 × E2 E ′1 × E ′2

E ′′1 × E ′2 E1 × E ′′2

(φ,ψ)

(φ,ψ′)(φ′,ψ)

(φ′,ψ′)

Since we are working with 2-isogenies, the resulting kernels of the isogenies onthe jacobian of the superspecial genus two curves are (2, 2)-subgroups, but it is notinherently clear that these are maximal isotropic with regards to the Weil pairing.This is something that would definitely need to be examined in further research,even though the exact correspondence JH ∼= E1 × E2 may be unclear.

33

Chapter 5

Implementations

In this chapter we discuss all the implementations and results that are obtainedwith help from the computer algebra software Magma and the statistical softwareR. Certain images are made with help of MATLAB. We start by exploring somesmall examples in section 5.1. In section 5.2 we verify how often a genus two curvecan have a singular quadratic splitting. In section 5.3 we make a heuristic analysisof the size of the graph we constructed in section 4.3. Next we investigate the actualamount of singular quadratic splittings a genus two curve has in section 5.4, followedby a discussion about the expanding properties of our graph in section 5.5. Finallyin section 5.6 we discuss the concrete implementation of the genus two variant of theCGL hash function. To keep this chapter clear, we will make use of the pseudocodefor all the algorithms. The implemented codes used in Magma and R can be foundin the appendices.

5.1 Some small examples of G′p

A first obvious thing to do is to see what G′p looks like for small values of p. Forthat we use Algorithm 1. Note that we keep track of multiplicities of edges by usinga multiset instead of a set.

For p equal to 5 we do obtain a graph, albeit a rather trivial one. There are 10singular quadratic splittings for H and the 5 nonsingular ones correspond to isogeniesto a genus two curve that is isomorphic to H. Hence the graph G′5 consists of a singlevertex with a loop (which has multiplicity 5).

The case p equal to 13 is slightly more interesting already. First we remark thatby Theorem 3.3 of [IKO86] there are exactly three superspecial genus two curvesover F132 . Our algorithm found three distinct vertices and they correspond exactlyto the G2-invariants of these three superspecial genus two curves. The graph G′13can be seen in Figure 5.1b. At first this seems rather well-connected, apart from thefact that there is no edge from A to B either way. However, when we are consideringa (random) walk in this graph it is immediately clear that edge A will be visited alot less frequently. Indeed, the only way from B or C back to our starting vertexA is by going through B and taking the only edge that leads to A (out of 12 totaledges). This situation seems less than ideal for creating an expander graph.

The next case is G′29, of which you can see a representation in Figure 5.2. Thegraph already has 18 vertices at this point and seems a lot better connected. Thereare still some rather large discrepancies between the amount of (distinct) edges that

34

5.2. AMOUNT OF SINGULAR QUADRATIC SPLITTINGS

Algorithm 1 Constructing G′p completely for a fixed p.

ToVisit ← {x5 − x}Visited ← { }while ToVisit 6= ∅ do

Remove random element P from ToVisitH ← genus two curve defined by y2 = Pif G2-invariants of H /∈ Visited then

Images ← {∗ ∗} (empty multiset)for all nonsingular quadratic splittings s of H doQ← polynomial derived from sAdd Q to ToVisitAdd G2-invariants of genus two curve defined by y2 = Q to Images

end forPrint the G2-invariants of H followed by the multiset Images

end ifAdd G2-invariants of H to Visited

end whilereturn Checker, BadPrimes

A5

(a) p = 5

A

B

C5

4

1

6

5

4

9

(b) p = 13

Figure 5.1: The graphs G′p for p equal to 5 and 13. The numbers indicate themultiplicities of the edges.

arrive or depart from an arbitrary vertex. For example the vertex A merely has 2outgoing and incoming edges that are not loops, whereas vertex D has a lot moredistinct edges. Overall, the graph colors are mainly magenta and red, which suggeststhat edges with large multiplicity may fade out if we let p grow. Additionally wesee that not all vertices have loops anymore, in contrast to the previous two cases.

For even larger values of p it is no longer feasible to derive much from a visualrepresentation, so we will work more methodically in the following sections.

5.2 Amount of Singular Quadratic Splittings

In this section we will prove Proposition 4.7, i.e. any genus two curve has at most6 singular quadratic splittings, as long as we work over a field with characteristicdifferent from 2, 3, 5, 7 or 11.

Let H be a genus two curve given by y2 = fH = a∏6

i=1(x−αi). As per usual fHcan be of degree 5 but in that case one of the roots is at infinity. Let i, j, k, l,m, n

35


1 2 3 4 5 6

A

B

C

D

E

F

G

H

I

J

K

L

M

N

O

P

Q

R

Figure 5.2: The complete graph of G′29. The colored legend refers to the multiplicitiesof the edges.

36


denote the pairwise distinct indices of the roots αι of fH . Then up to units thequadratic splittings are given by the 15 non-trivial permutations of

(x2 − (αi + αj)x+ αiαj, x2 − (αk + αl)x+ αkαl, x

2 − (αm + αn)x+ αmαn)

that determine a different Richelot isogeny. These isogenies correspond to a singularquadratic splitting if and only if

det

1 (αi + αj) αiαj1 (αk + αl) αkαl1 (αm + αn) αmαn

= 0. (5.1)

Hence the question boils down to how many determinants of the 15 non-trivialpermutations of the αι can be zero simultaneously. A quick calculation shows thatfor H defined by y2 = x5 − x over Fp2 , p ≡ 5 (mod 8) we have at least 6. Indeed,since p ≡ 5 (mod 8) we know there is an i ∈ Fp such that i2 = −1. This means wecan write x5 − x = x(x− 1)(x+ 1)(x− i)(x+ i) and see that

∣∣∣∣∣∣

1 1 + i i1 −1− i i0 1 0

∣∣∣∣∣∣,

∣∣∣∣∣∣

1 i− 1 −i1 1− i −i0 1 0

∣∣∣∣∣∣,

∣∣∣∣∣∣

1 0 −11 i 00 1 −i

∣∣∣∣∣∣,

∣∣∣∣∣∣

1 0 −11 −i 00 1 i

∣∣∣∣∣∣,

∣∣∣∣∣∣

1 0 11 −1 00 1 1

∣∣∣∣∣∣,

∣∣∣∣∣∣

1 0 11 1 00 1 −1

∣∣∣∣∣∣,

are all zero.To show that no more than 6 can occur we work with Grobner bases. The

permutations of equation (5.1) determine 15 different polynomials f1, . . . , f15 inK[α1, . . . , α6], where K is the field over which our roots are defined. We pick asubset of 7 of these equations and form the ideal I generated by them. We then addthe polynomial ∏

1≤i<j≤6(αi − αj) = 1

as a generator of I as well. This forces our roots αι to be distinct, which is arequirement for H being a genus two curve. Obviously this is something that isneeded, since otherwise Equation (5.1) can hold for all permutations as long as allαι are the same. Note that technically we should multiply the left-hand side of thislast equation by a new (seventh) variable. However, since we will be working overthe algebraic closure of fields, any solution to either equation would yield a solutionto the other as well. Therefore choosing the more simplified version is preferredsince it will obviously reduce computation time

Now we determine a Grobner basisG for I. IfG = {1} then the variety defined byI is empty and hence those 7 equations we chose can not be satisfied simultaneously,under the assumption that all αι are different. If we repeat this process for allpossible subsets of 7 equations and find G = {1} in all cases, then we are done.There are

(157

)= 6435 possible ways of selecting such a subset so the computation

will be done in Magma and the pseudocode can be seen in Algorithm 2. Remarkthat by using the symmetry in the variables, it is possible that the algorithm couldbe made more efficient, but it will of course not alter the result.

Note that in the algorithm we have defined the coefficients of the equations to bein Q. This only shows that there are no solutions over Q, while we typically want towork over a field with prime characteristic. If the Grobner basis G = {1} however,we can write 1 as linear combination of that particular choice of polynomials fι, say

37

5.3. SIZE OF G′P

for example 1 = h1f1 + . . . + h8f8. If we then multiply both sides of the equationsby the lowest common multiple of the denominators of the coefficients of the hι, weobtain an equation with coefficients in Z[α1, . . . , α6]. So as long as the characteristicp of the field we work over does not divide the lowest common multiple of thedenominators of those hι, we still find a contradictory system. So it suffices to keeptrack of the primes that divide the denominators. The resulting primes are 2, 3, 5,7 and 11.

Remark that issues may indeed arise if we work over fields with these character-istics: defining H by y2 = x5−x over F25 we find 10 permutations of Equation (5.1)that are simultaneously satisfied. Apart from the six cases already mentioned, wealso find

∣∣∣∣∣∣

1 1 + i i1 −1 00 1 −i

∣∣∣∣∣∣,

∣∣∣∣∣∣

1 1 01 −1− i i0 1 i

∣∣∣∣∣∣,

∣∣∣∣∣∣

1 −i 01 i− 1 −i0 1 1

∣∣∣∣∣∣,

∣∣∣∣∣∣

1 1− i −i1 i 00 1 −1

∣∣∣∣∣∣,

to all be zero since we can choose i = 2 as a root of −1 in a field of characteristic5. Since we typically work over fields with large prime characteristic, we will notexplore these exceptional cases any further.

Algorithm 2 Proving Proposition 4.7

S ← {15 non-trivial permutations of Equation 5.1 defined over Q[α1, . . . , α6]}BadPrimes ← { }Checker ← Truefor J ⊂ S, #J = 7 do

Add∏

1≤i<j≤6(αi − αj) = 1 to JG← Grobner basis of J as idealif G 6= {1} then

Checker ← Falseelse

Write 1 = h1f1 + . . .+ h8f8 for fi ∈ JAdd prime factors of denominators of hi to BadPrimes

end ifend forreturn Checker, BadPrimes

5.3 Size of G′p

A priori it is not clear how many vertices the graph Gp defined in the previouschapter has. In the case of elliptic curves we saw that there are roughly p/12isomorphism classes of supersingular elliptic curves over Fp and that they are allconnected through isogenies. For genus two curves there is a somewhat similarresult, but now formulated for superspecial curves.

Theorem 5.1. The amount of isomorphism classes of superspecial curves of genustwo defined over a field of characteristic p is equal to

p3 + 24p2 + 141p

2880+ f(p),

38

5.3. SIZE OF G′P

where f(p) is a constant term depending only on p (mod 120).

Proof. See [IKO86].

Recall that a superspecial genus two curve is by definition isomorphic to a prod-uct of two supersingular elliptic curves. Hence we could predict there to be aquadratic amount of superspecial curves. Apparently there is not one canonicalway to equip a product of two elliptic curves with a principal polarization (whichis needed to view it as a jacobian). Given that the amount of superspecial genustwo curves is already cubic, the amount of supersingular ones must be at least thesame order of magnitude. As we have shown in the previous chapter however, weare working in a finite component so we can not make any assumption based onthis. It seems unlikely that we can find a specific formula to calculate the amountof vertices in Gp due to the way it is constructed. Furthermore we may need toomit the vertices that consist of isomorphism classes of superspecial curves in theimplementation of the hash function. So not only would we need to exclude thosefrom the count, it would also be possible that excluding those vertices would breakthe connected graph Gp into multiple smaller connected components, of which wewould only use one, i.e. G′p.

For that reason we checked the size of the graphs G′p heuristically for small valuesof p, i.e. p ∈ {5, . . . , 1013}. The code was implemented in Magma and the algorithmused can be seen in Algorithm 3. The inner loop runs from 1 to f(p), where welet f(p) vary from p, p log p, p2, p2 log p, p3 and p4. Up until p2 there is a cleardistinction in the amount of vertices found. From then onwards the gain seemsto be insignificant, and on the odd occasion a loss can be spotted. This is a firstobservation that hints that the size of G′p may be quadratic in function of p.

Algorithm 3 Checking the size of G′p

Primes ← [ ]GraphSize ← [ ]for p prime, p ≡ 5 (mod 8), p ≤ 1013 doH ← curve defined by y2 = x5 − x over Fp2S ← {G2-invariants of H}for i from 1 to f(p) doH ← image of random Richelot isogenyAdd G2-invariants to S

end forAppend p to PrimesAppend #S to GraphSize

end forreturn Primes, GraphSize

The results can be seen in Figure 5.3. We will do a basic regression analysis inthe statistical software R to see if we can determine some order of magnitude forour graph for larger values of p. The trend is clearly superlinear and due to workingover a finite field it is impossible to be exponential, since there are only p6 distinctG2-invariants. Hence we will try to fit a polynomial of degree two or higher throughour data.

39

5.3. SIZE OF G′P

0 100 200 300 400 500 600 700 800 900 1000

p

0

0.5

1

1.5

2

2.5

3

Am

ount

of v

ertic

es

×105

Figure 5.3: The size of the graph G′p for p ranging from 5 to 1013.

The multiple R-squared value for the fit of a quadratic polynomial is 99.65%. Fora fit with a polynomial of degree three or higher we have a multiple R-squared valueof 100%. Trying to fit a polynomial of degree five through or data results in a goodexplanation of the variability of the size of our graph in terms of the prime p (with100% multiple R-squared value as well), but it only has a significant coefficient forthe term in x3. This means that the term of degree five does not make a significantimpact and the same trend is true if we try to fit even higher degree polynomialsthrough our data. This means we need only consider the case of a quadratic, cubicor quartic polynomial fit. The case of a quartic polynomial can be excluded as well:the leading coefficient is tiny (in the order of magnitude of 10−8) and - while stillsignificant from a statistical point of view - clearly impossible since it is negative.Hence we focus on the quadratic and cubic cases. The respective polynomials thatwould explain the relation in our data are given by

P = 0.4747242p2 − 173.0982p+ 13147.14,

Q = 0.0002543226p3 + 0.09239751p2 − 20.97896p+ 1064.167.

A visual display of these polynomials with our data can be seen in Figure 5.4.At first sight it seems like a cubic fit works a lot better, although the bad fits for thequadratic polynomial seem to mostly stem from small values of p. This graphicaldetermination is confirmed by a two-way analysis of variance test (anova for short)between the two models. The anova test says that the cubic model is a significantlybetter fit, although a small caveat is that the same holds for the (impossible) quarticmodel, which is an even better fit theoretically than the cubic model. Every newdata point we want to add (in order to create more clarity into which of the twomodels is better) takes a significant amount of computation time since it requiresmillions of both calculations and elements stored. For that reason we elect to testa couple of specific data points that are a lot more out of range from the data weused to create our polynomial fit. We opt for p = 1709, p = 1997, p = 2549 andp = 3877 and find the following table.

40

5.4. HEURISTIC AMOUNT OF SINGULAR QUADRATIC SPLITTINGS

Computed value Quadratic fit prediction Cubic fit prediction1709 1,370,347 1,103,840 1,504,5121997 2,038,341 1,560,674 2,353,0902549 3,724,179 2,656,393 4,759,9913877 10,037,558 6,477,687 16,129,390

There are more convoluted methods for determining a regression fit through datawith statistical software than what we used here. For our purpose however, it is firstof all sufficient to see that the fit is superlinear, since this implies that we have agraph that is large enough to work with. Indeed, the graph in the elliptic curve caseonly has order of magnitude p/12 and it does not restrict us in any way. Secondlyin order to determine a realistic parameter p for our hash function we can nowassume the size of the graph to be quadratic in function of p, which is backed by thediscussion above and the fact that the higher p, the closer the computed amount ofvertices tend to the quadratic fit. Finally we add these four new computed values tothe initial list to find a slightly better quadratic model. The resulting polynomial is

R = 0.800518p2 − 560.9884p+ 87977.39.

An image of the final quadratic polynomial fit through our data points can be seenin Figure 5.5. We can see that for the largest value (p = 3877) the function slightlystarts undershooting the computed value. For simplicity sake we can say that thesize of G′p seems to be at least 0.8p2.

5.4 Heuristic Amount of Singular Quadratic Split-

tings

By proposition 4.7 we know that any genus two curve has at most 6 singularquadratic splittings assuming the field we work over has characteristic 0 or at least13. The amount of singular quadratic splittings is completely determined by howoften

det

1 (αi + αj) αiαj1 (αk + αl) αkαl1 (αm + αn) αmαn

(5.2)

can be zero in case all αι are distinct. For a general matrix M ∈ R3×3 with inde-pendent standard normal entries, we can expect M to have full rank. Indeed, thedeterminant of M is simply a polynomial equation in 9 variables, hence it vanisheson a set of measure zero in R9. The probability of the determinant vanishing issimply the integral over this set of measure zero, hence we can say that this hasprobability zero.

Obviously in our case there are some distinctions which have to be pointed out.

• We are working over Fp2 and not an infinite field. Finite sets do not havemeasure zero here.

• There is some clear inherent structure in expression 5.2 which means we cannot talk about a randomly chosen matrix.

41


0 200 400 600 800 1000

050

000

1000

0015

0000

2000

0025

0000

3000

0035

0000

p

Am

ount

of v

ertic

es

(a) A quadratic polynomial fit.

0 200 400 600 800 1000

050

000

1000

0015

0000

2000

0025

0000

3000

0035

0000

p

Am

ount

of v

ertic

es

(b) A cubic polynomial fit.

Figure 5.4: Using polynomial regression in order to try to explain the size of thegraph G′p in function of p.

42


0 1000 2000 3000 4000

0e+

002e

+06

4e+

066e

+06

8e+

061e

+07

p

Am

ount

of v

ertic

es

Figure 5.5: A quadratic polynomial regression fit of the size of the graph G′p infunction of p after adding 4 extra points that are significantly larger in size thanbefore.

43


• We are working with a specific set of possible αι, which may make expression5.2 have even more structure because of properties stemming from the genustwo curves associated with them.

From the previous section we estimate that the amount of vertices of G′p growsquadratically. Hence the set of possible αι does the same and despite the aforemen-tioned caveats, it seems intuitively clear that we can expect the chance of expression5.2 turning zero to become smaller as p grows larger. Once again there is no obviousway to verify this abstractly given how the graph we work with is constructed. Forthis reason we will do a small heuristic probability check similar to how we verifiedthe size of the graph in the previous section. For this we use Algorithm 4. Note thatdue to discussion in the previous section we take paths of length p2 and not longer.The results of the code can be seen in Figure 5.6. Note that we have omitted thecases p equal 5 and 13 from the figure since they made the graph unclear with theirrespective 66.67% and 19.01% probability.

Algorithm 4 Checking the amount of singular quadratic splittings in G′p

Primes ← [ ]PercentageSingular ← [ ]for p prime, p ≡ 5 (mod 8), p ≤ 1013 doH ← curve defined by y2 = x5 − x over Fp2Zeros ← [ ]for i from 1 to p2 doz ← amount of permutations of 5.2 that are zero for αι roots of HAppend z to ZerosH ← image of random Richelot isogeny

end forAppend p to PrimesAppend

∑(Zeros)/15p2 to PercentageSingular

end forreturn Primes, PercentageSingular

The results show a clear downward trend, with the probability of an arbitraryquadratic splitting being singular in G′1013 as low as 0.18898%. From this pointonwards the calculations start requiring a decent amount of computation time so weagain elect to pick a few larger values to see if the trend continues. The results areshown in the following table.

p 1709 1997 2549 3877Percentage of

singular quadraticsplittings

0.108675568 0.0932545538 0.0733524066 0.0478305167

These numbers clearly indicate that as p grows larger, the chance of an arbitraryquadratic splitting to be singular when working in G′p tends to zero.

44

5.5. EXPANDING PROPERTIES OF G′P

0 100 200 300 400 500 600 700 800 900 1000

p

0

1

2

3

4

5

6

7

Perc

enta

ge o

f sin

gula

r quadra

tic s

plit

tings

Figure 5.6: The expected amount of singular quadratic splittings for an arbitrarygenus two curve corresponding to a vertex of G′p in function of p.

5.5 Expanding Properties of G′p

In the case of elliptic curves it was fortunate that G(p, l) was a Ramanujan graph.We recall the definition of this type of graph first.

Definition 5.1. A k-regular connected graph G is a Ramanujan graph if the absolutevalue of any eigenvalue of the adjacency matrix of G is either k or not larger than2√k − 1.

The intuition behind the eigenvalues is as follows. Let G be a k-regular graphwith adjacency matrix A. Then the eigenvalues of A are bounded above by k.Furthermore if G is connected, then A has exactly one eigenvalue λ0 equal to k(see for example [Mur03]) and the second eigenvalue λ1 satisfies the properties λ1 ≤2√k − 1 + o(1) as well as λ1 ≥ 2

√k − 1 − o(1) (see for example [FKS89]). The

spectral gap between λ0 and λ1 determines the strength of the expanding propertiesof G. So in that sense Ramanujan graphs are optimal because they coincide withthe lower bound for λ1. It also means that even if we would not be working in aRamanujan graph, we could investigate the second eigenvalues of our graph and takea look at the spectral gap. Ideally this would approach λ1 = 2

√k − 1 as p tends to

infinity.Unfortunately the graph we work in lacks some of the basic requirements to

be talking about a Ramanujan graph. Most importantly, G′p is not a 15-regulargraph since the edges corresponding to singular quadratic splittings are not present.Furthermore this also implies that we do not have a trivial eigenvalue λ0, that wemay even be working in an undirected graph with a dead end for a walk (leadingto imaginary eigenvalues) and that we have no real way of interpreting the spectralgap properly.

Additionally, as argued before, we would need to work heuristically as p growslarger, since we can not store the entire graph easily. So even if we would solve theissue of singular quadratic splitting computations and work in Gp instead of G′p,heuristic computations can be off by quite a bit when it comes to connectedness. If

45


one were to glue two disconnected graph components together by one single edgefor example, this would result in a graph with horrible expansion properties. Anyheuristic attempt would therefore fail if it would result in a graph similar to this.

So instead of working with the eigenvalues, we will take a look at the trait we aremost interested in: the rapid mixing property. This property says that if we take apath in an expander graph of length roughly equal to the logarithm of the size of thegraph, then we can end up anywhere with a distribution close to uniform. In ourcase we have seen that our graph has an order of magnitude p2 for size, so a path oflength roughly 2 log p would need to end up equally likely almost anywhere. To testthis we used the following algorithm. Note that the size of the graph is p2, hencea sample size of p3 was chosen. This does imply the computations are in the orderof magnitude of p3 log p however, so we can not take p as large as in the previoussections.

Algorithm 5 Checking the distribution of ending vertices for random walks in G′p

for p prime, p ≡ 5 (mod 8), p ≤ 160 doS ← {∗ ∗} (empty multiset)H ← curve defined by y2 = x5 − x over Fp2for n from 1 to p3 do

Chain d2 log pe isogenies starting from HAdd G2-invariants of final curve to S

end forend forreturn The multiplicities of all elements of S

The results of the algorithm can be seen in Figure 5.7. The graphs show that as pgrows larger, we get closer to a uniform distribution. The aforementioned predictionfor p equal to 5 is also true: one of the edges barely has any paths ending in it. Thegraphs do tend to have a similar pattern, in that there is a distinct amount of verticeswith a significantly lower percentage of occurrence than others. Intuitively it wouldmake sense that these coincide with the vertices with G2-invariants corresponding tosuperspecial genus two curves. Indeed, any singular quadratic splitting results in anedge being removed from Gp to construct G′p, and all of the corresponding isogenieshave a superspecial genus two curve as image, such that they have less incomingedges. The problem with trying to verify this expectation explicitly, is that there isno easy way to check whether a genus two curve is superspecial in Magma.

The proportion of vertices with this lower percentage of occurrence seems toshrink as p grows larger though. To verify this trend a bit more, one more prime (p =509) was investigated. In order to keep the computing time realistic, a sample sizeof 50p2 paths was chosen instead of p3, whereas the path length d2 log pe remainedthe same. The result of this algorithm can be seen in figure 5.8.

The aforementioned trends seem to continue their way even more clearly now.Keeping the elliptic curve case in mind, we therefore formulate the following workinghypothesis:

The graph Gp is a 15-regular expander graph.

46


Distinct vertices0

10

20

30

40

50

60

Perc

enta

ge o

f occurr

ence

(a) p = 13

Distinct vertices0

5

10

15

Perc

enta

ge o

f occurr

ence

(b) p = 29

Distinct vertices0

1

2

3

4

5

6

7

Perc

enta

ge o

f occurr

ence

(c) p = 37

Distinct vertices0

0.5

1

1.5

2

Perc

enta

ge o

f occurr

ence

(d) p = 53

Distinct vertices0

0.5

1

1.5

Perc

enta

ge o

f occurr

ence

(e) p = 61

Distinct vertices0

0.05

0.1

0.15

0.2

0.25

0.3

Perc

enta

ge o

f occurr

ence

(f) p = 101

Distinct vertices0

0.05

0.1

0.15

0.2

0.25

Perc

enta

ge o

f occurr

ence

(g) p = 109

Distinct vertices0

0.01

0.02

0.03

0.04

0.05

0.06

0.07

0.08

0.09

Perc

enta

ge o

f occurr

ence

(h) p = 149

Distinct vertices0

0.01

0.02

0.03

0.04

0.05

0.06

0.07

0.08

Perc

enta

ge o

f occurr

ence

(i) p = 157

Figure 5.7: The chance of ending up in an arbitrary vertex in G′p after a walk oflength d2 log pe, starting from the vertex corresponding to the G2-invariants of H.The sample size was chosen at p3 random walks each time and the magenta linedepicts the (ideal) uniform distribution. For the sake of clarity, the vertices alongthe horizontal axis are arranged in ascending order of percentage of occurrence, theydo not have an intrinsic order otherwise.

47


Distinct vertices0

0.5

1

1.5

2

2.5

Pe

rce

nta

ge

of

occu

rre

nce

×10-3

Figure 5.8: The chance of ending up in an arbitrary vertex in G′509 after a walk oflength d2 log 509e = 18, starting from the vertex corresponding to the G2-invariantsof H. The sample size was chosen at 50 ·5092 ≈ 1.3 ·107 random walks each time andthe magenta line depicts the (ideal) uniform distribution. For the sake of clarity,the vertices along the horizontal axis are arranged in ascending order of percentageof occurrence, they do not have an intrinsic order otherwise.

48

5.6. HASH FUNCTION FROM G′P

5.6 Hash Function from G′p

In this section we briefly discuss an actual implementation of the hash functiondescribed at the end of the previous chapter. For this we draw the analogy with thecorresponding hash function for elliptic curves that is discussed in [CGL09].

First of all, we need to select an appropriately large prime p. For the ellipticcurve case, they tested both a 192-bit prime and a 256-bit one. While security isnot the main focus of this thesis, it is known that a standard Pollard-rho attack hascomplexity O(

√k), where k is the size of the graph. Since the graph G(p, l) has a

size that is linear in function of p, and G′p has a size that is quadratic in functionof p, it is logical to use a 128-bit prime and compare it to aforementioned 256-bitprime. Therefore we fix p as 2128 − 275, which results in paths of length 256. Notethat in the hash function we pad short input messages with zeros at the front. Wekeep track of the path leading back to our previous vertex by the quadratic splittingwe used. The order that is used for the Richelot isogenies is the intrinsic ordering ofMagma that belongs to the roots of the quintic or sextic polynomial. This resultsin the following pseudocode.

Algorithm 6 Hashing an input message m with the graph G′p

p← 2128 − 275Digits ← array with digits of message m in base 8, padded with zeros if neededto make sure Digits has length 256H ← curve defined by y2 = x5 − x over Fp2Backtrack ← {}for i in Digits do

Find the i-th quadratic splitting of H that is not singular and is not equal to apermutation of the elements of BacktrackH ← curve defined as the image of the isogeny corresponding to i-th splittingBacktrack ← {quadratic factors of the splitting that would take us back}

end forreturn G2-invariants of H

The implementation of the elliptic curve CGL hash function in [CGL09] wasdone in C on a 64-bit AMD Opteron 252 2.6Ghz computer. The computation timeper input bit in the case of a 256-bit prime was 7.6 · 10−5 seconds, with an outputconsisting of 512 bits (being the j-invariant of an elliptic curve over Fp2).

The implementation of our genus two CGL hash function algorithm was done inMagma (version 2.32-2) on an Intel(R) Xeon(R) CPU E5-2630 v2 @ 2.60GHz with128 GB memory. The computation time per input bit here is 3.6 · 10−2 seconds andthe output consists of 768 bits (being the G2-invariants of a genus two curve overFp2 , where p is now a 128-bit prime).

While this seems to perform a lot worse (by a factor of almost 500), we need tokeep in mind that our implementation is rather rudimentary, whereas the one from[CGL09] was focusing on efficiency. In particular, in our hash function, avoiding thepath taking us back to the previous vertex seems to be a bottleneck when it comesto computation time. Finding a more efficient way of doing this would easily leadto a much better performance. Overall though, the computing speed of our basicimplementation seems to be realistic enough that some optimizations could bring it

49

5.6. HASH FUNCTION FROM G′P

close to the speed of the elliptic curve case, resulting in a practical application.

50

Chapter 6

Conclusion

As stated in the introduction, one of our main goals was to try to recreate theelliptic curve CGL hash function for genus two curves. We succeeded in this, thoughwith a caveat. The graph that defines our genus two CGL hash function can nolonger be made undirected, or at least not easily. The problem stems from the factthat Richelot isogenies corresponding to singular quadratic splittings have no easyformula to work with. A possible suggestion for future work could be to try tofind ways of still including these isogenies into our graph. Whether this is a usefulsuggestion is questionable, since a necessary property of a hash function is that itis easy to compute. So even if one would find formulas to compute these isogenies,they would need to be simple enough as to not complicate the implementation toomuch.

All of the other results were promising however. Just as in the elliptic curve case,we can work over a finite graph that is completely defined over Fp2 , which keeps thecomputation time in check amongst other things. The aforementioned degeneratecase has a strict theoretical upper bound that we proved, but in practice, the chanceof it occurring seems to tend to zero as the characteristic of the field we work overgrows larger. For this reason, a possible suggestion for future research could be tocheck how fast it tends to zero, and whether or not we can exploit this in some way.If the degenerate case would have negligible chance to occur for realistic values of p,one could work in base 14 instead of base 8. This means we would no longer needto make a list of 8 isogenies at each step, just avoid the isogeny leading back to theprevious genus two curve. A proper implementation of this could speed up the hashfunction significantly, although for that to work, one would need to find an efficientway of keeping track of the isogeny leading back.

We also showed that the size of the graph we work over grows faster than in theelliptic curve case. More precisely we found an at least quadratic relation, whereasin the elliptic curve case it was only linear. Due to the construction of the graph, itseems infeasible (but not impossible) that a precise formula for the size of the grapheven exists.

Finally we showed that the graph we created displayed behavior akin to therapid-mixing property of expander graphs. One particular subset of vertices had asignificant lower chance of being the ending point of a random walk though. Com-bining the previous results, it would seem intuitive that this corresponds to thedegenerate case involving superspecial genus two curves, although this can not beverified easily. This issue seems minor however, since the proportion of these wor-

51

risome vertices seems to grow small as the characteristic of the field we work overgrows large. So for realistic values in a concrete implementation, these verticesshould not pose a problem.

The processing speed of our hash function per input bit is noticeably slower thanin the elliptic curve case, while the output is 50% larger in size. An obvious furtherresearch focus point could therefore be to try to optimize this. As mentioned before,finding a proper way to keep track of the isogeny leading back to the previous vertexcould prove really helpful in this case.

Finally, we did not really discuss the security of our genus two CGL hash function.In particular the question ‘Is this hash function really one way?’ might still havea negative answer. A starting point to try to answer that question could be ourremark at the end of chapter 4. The superspecial genus two curves are a productof supersingular elliptic curves, hence a possible chain of 4 isogenies could perhapsbe created on these separate elliptic curves to try to construct a loop in our graph.This loop would mean the hash function is no longer collision resistant, which canbe exploited by an attacker, though as argued before, it is not clear a priori thatthese loops even exist at all.

52

List of Figures

2.1 Hashing the input 110 with starting vertex A results in an output ofH. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

3.1 The geometric interpretation of the group law of an elliptic curve. . . 10

4.1 The geometric interpretation of the group law of a genus two curve.A cubic through two pairs of points intersects the genus two curve inanother pair of points. . . . . . . . . . . . . . . . . . . . . . . . . . . 19

5.1 The graphs G′p for p equal to 5 and 13. The numbers indicate themultiplicities of the edges. . . . . . . . . . . . . . . . . . . . . . . . . 35

5.2 The complete graph of G′29. The colored legend refers to the multi-plicities of the edges. . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

5.3 The size of the graph G′p for p ranging from 5 to 1013. . . . . . . . . 405.4 Using polynomial regression in order to try to explain the size of the

graph G′p in function of p. . . . . . . . . . . . . . . . . . . . . . . . . 425.5 A quadratic polynomial regression fit of the size of the graph G′p in

function of p after adding 4 extra points that are significantly largerin size than before. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

5.6 The expected amount of singular quadratic splittings for an arbitrarygenus two curve corresponding to a vertex of G′p in function of p. . . . 45

5.7 The chance of ending up in an arbitrary vertex in G′p after a walkof length d2 log pe, starting from the vertex corresponding to the G2-invariants of H. The sample size was chosen at p3 random walks eachtime and the magenta line depicts the (ideal) uniform distribution.For the sake of clarity, the vertices along the horizontal axis are ar-ranged in ascending order of percentage of occurrence, they do nothave an intrinsic order otherwise. . . . . . . . . . . . . . . . . . . . . 47

5.8 The chance of ending up in an arbitrary vertex in G′509 after a walkof length d2 log 509e = 18, starting from the vertex corresponding tothe G2-invariants of H. The sample size was chosen at 50 · 5092 ≈1.3 · 107 random walks each time and the magenta line depicts the(ideal) uniform distribution. For the sake of clarity, the vertices alongthe horizontal axis are arranged in ascending order of percentage ofoccurrence, they do not have an intrinsic order otherwise. . . . . . . . 48

53

Bibliography

[Bos+08] Alin Bostan et al. “Fast algorithms for computing isogenies between el-liptic curves”. In: Mathematics of Computation 77.263 (2008), pp. 1755–1778.

[CF96] John William Scott Cassels and E Victor Flynn. Prolegomena to a mid-dlebrow arithmetic of curves of genus 2. Vol. 230. Cambridge UniversityPress, 1996.

[CGL09] Denis X Charles, Eyal Z Goren, and Kristin E Lauter. “Cryptographichash functions from expander graphs”. In: Journal of Cryptology 22.1(2009), pp. 93–113.

[CJS14] Andrew Childs, David Jao, and Vladimir Soukharev. “Constructing el-liptic curve isogenies in quantum subexponential time”. In: Journal ofMathematical Cryptology 8.1 (2014), pp. 1–29.

[Coh+05] Henri Cohen et al. Handbook of elliptic and hyperelliptic curve cryptog-raphy. CRC press, 2005.

[CQ05] Gabriel Cardona and Jordi Quer. “Field of moduli and field of definitionfor curves of genus 2”. In: Computational aspects of algebraic curves.World Scientific, 2005, pp. 71–83.

[FKS89] Joel Friedman, Jeff Kahn, and Endre Szemeredi. “On the second eigen-value of random regular graphs”. In: Proceedings of the twenty-first an-nual ACM symposium on Theory of computing. ACM. 1989, pp. 587–598.

[Har13] Robin Hartshorne. Algebraic geometry. Vol. 52. Springer Science & Busi-ness Media, 2013.

[HLW06] Shlomo Hoory, Nathan Linial, and Avi Wigderson. “Expander graphsand their applications”. In: Bulletin of the American Mathematical So-ciety 43.4 (2006), pp. 439–561.

[IKO86] Tomoyoshi Ibukiyama, Toshiyuki Katsura, and Frans Oort. “Supersingu-lar curves of genus two and class numbers”. In: Compositio Mathematica57.2 (1986), pp. 127–152.

[JDF11] David Jao and Luca De Feo. “Towards quantum-resistant cryptosystemsfrom supersingular elliptic curve isogenies”. In: International Workshopon Post-Quantum Cryptography. Springer. 2011, pp. 19–34.

[Lan12] Serge Lang. Introduction to algebraic and abelian functions. Vol. 89.Springer Science & Business Media, 2012.

54

BIBLIOGRAPHY

[Mur03] M Ram Murty. “Ramanujan graphs”. In: Journal-Ramanujan Mathe-matical Society 18.1 (2003), pp. 33–52.

[MWZ96] Alfred Menezes, Yi-Hong Wu, and Robert Zuccherato. An elementaryintroduction to hyperelliptic curves. Faculty of Mathematics, Universityof Waterloo, 1996.

[Piz90] Arnold K Pizer. “Ramanujan graphs and Hecke operators”. In: Bulletinof the American Mathematical Society 23.1 (1990), pp. 127–137.

[Sho99] Peter W Shor. “Polynomial-time algorithms for prime factorization anddiscrete logarithms on a quantum computer”. In: SIAM review 41.2(1999), pp. 303–332.

[Sil09] Joseph H Silverman. The arithmetic of elliptic curves. Vol. 106. SpringerScience & Business Media, 2009.

[Smi+05] Benjamin Andrew Smith et al. “Explicit endomorphisms and correspon-dences”. In: (2005).

[ST92] Joseph H Silverman and John Torrence Tate. Rational points on ellipticcurves. Vol. 9. Springer, 1992.

[Tho17] Erik Thormarker. “Post-Quantum Cryptography: Supersingular IsogenyDiffie-Hellman Key Exchange”. MA thesis. Stockholms Universitet, 2017.

[WM68] William C Waterhouse and JS Milne. “Abelian varieties over finite fields”.PhD thesis. Harvard University, 1968.

55

Appendices

56

Appendix A

Implemented Code

The exact code used for the implementations of chapter 5 can be found here. Wewill use the same section titles for ease of reference. Most of the following code hasbeen implemented in Magma, with one exception being the statistical analysis in R.

A.1 Some small examples of G′p

The following code in Magma is used to list all the vertices and edges with multi-plicities of G′29. For a different prime it suffices to just change the first line of thecode. Note that this code is only used for small values of p so it is not optimized inthe sense that we pick all permutations of our roots instead of just the 15 distinctquadratic splittings. This leads to a longer computation time but it is negligiblesince the field and graph we work with are small anyway.

p := 29;

F<a> := GF(p^2);

R<x> := PolynomialRing(F);

tovisit := {x^5-x};

visited := {};

while not IsEmpty(tovisit) do

ExtractRep(~tovisit, ~pol);

H := HyperellipticCurve(pol);

if G2Invariants(H) notin visited then

Q := SequenceToSet(Factorization(HyperellipticPolynomials(H)));

sings := 0;

images := {* *};

for P in Permutations(Q) do

P1 := P[1][1]*P[2][1];

P2 := P[3][1]*P[4][1];

if #P eq 6 then

degfactor := 48;

P3 := P[5][1]*P[6][1];

X := Matrix(F,3,3,Reverse(Coefficients(P1)) cat

Reverse(Coefficients(P2)) cat Reverse(Coefficients(P3)));

else

degfactor := 8;

P3 := P[5][1];

X := Matrix(F,3,3,Reverse(Coefficients(P1)) cat

Reverse(Coefficients(P2)) cat [0] cat Reverse(Coefficients(P3)));

end if;

D := Determinant(X);

57

A.2. AMOUNT OF SINGULAR QUADRATIC SPLITTINGS

if D eq 0 then

sings := sings + 1;

else

polnew := 1/(D^3)*(Derivative(P2)*P3-P2*Derivative(P3))*

(Derivative(P3)*P1-P3*Derivative(P1))*

(Derivative(P1)*P2-P1*Derivative(P2));

Include(~tovisit, polnew);

Hnew := HyperellipticCurve(polnew);

Include(~images, G2Invariants(Hnew));

end if;

end for;

printf "The curve associated to %o has %o singular splittings.

Furthermore:\n", G2Invariants(H), sings/degfactor;

images2 := MultisetToSet(images);

for im in images2 do

printf "%o edge(s) to %o\n", Multiplicity(images,im)/degfactor, im;

end for;

end if;

Include(~visited, G2Invariants(H));

end while;

A.2 Amount of Singular Quadratic Splittings

The following code is the code used in Magma to prove proposition 4.7.

Q<a1,a2,a3,a4,a5,a6> := PolynomialRing(Rationals(),6);

S := {1,2,3,4,5,6};

I := {};

for sub1 in Subsets(S,2) do

subseq1 := SetToSequence(sub1);

for sub2 in Subsets(S diff sub1, 2) do

subseq2 := SetToSequence(sub2);

subseq3 := SetToSequence(S diff (sub1 join sub2));

M := Matrix(Q,3,3,[ 1, Q.subseq1[1] + Q.subseq1[2],

Q.subseq1[1]*Q.subseq1[2], 1, Q.subseq2[1] + Q.subseq2[2],

Q.subseq2[1]*Q.subseq2[2], 1, Q.subseq3[1] + Q.subseq3[2],

Q.subseq3[1]*Q.subseq3[2] ] );

vgl := Determinant(M);

if -vgl notin I then

I join:= {Determinant(M)};

end if;

end for;

end for;

disc := Q ! 1;

for sub in Subsets(S,2) do

subseq := SetToSequence(sub);

disc *:= Q.subseq[1] - Q.subseq[2];

end for;

groebnerboolean := true;

badprimes := {};

for j in Subsets(I,7) do

J := {disc-1};

J join:= j;

if GroebnerBasis(Ideal(J)) ne [1] then groebnerboolean := false; end if;

58

A.3. SIZE OF G′P

J := IdealWithFixedBasis(SetToSequence(J));

c := Coordinates(J, Q ! 1);

for coord in c do

for coeff in Coefficients(coord) do

badprimes join:= SequenceToSet(PrimeDivisors(Denominator(coeff)));

end for;

end for;

end for;

print groebnerboolean; badprimes;

A.3 Size of G′p

The following code is the code used in Magma to check the size of G′p in function ofp. Figure 5.3 was made using MATLAB with the resulting data from the output ofPrimes and Size from the code.

Primes := [];

Size := [];

p := 3;

while p le 1000 do

repeat p := NextPrime(p); until p mod 8 eq 5;

F := FiniteField(p^2);


H := HyperellipticCurve(x^5-x);

S := {G2Invariants(H)};

for m in [1..p^2] do

if m eq 0 mod 10000 then

print m;

end if;

D := 0;

while D eq 0 do

Q := Factorization(HyperellipticPolynomials(H));

Q11 := Random(Q); Exclude(~Q, Q11);





if # Q ne 0 then


else

Q32 := <1,1>;

end if;

Q1 := LeadingCoefficient(HyperellipticPolynomials(H))*Q11[1]*Q12[1];

Q2 := Q21[1]*Q22[1];

Q3 := Q31[1]*Q32[1];

if Degree(Q3) eq 2 then

X := Matrix(F,3,3,Reverse(Coefficients(Q1))

cat Reverse(Coefficients(Q2))

cat Reverse(Coefficients(Q3)));

else



cat [0] cat Reverse(Coefficients(Q3)));

end if;


end while;

H := HyperellipticCurve(1/(D^3)*(Derivative(Q2)*Q3-Q2*Derivative(Q3))

59

A.3. SIZE OF G′P

*(Derivative(Q3)*Q1-Q3*Derivative(Q1))

*(Derivative(Q1)*Q2-Q1*Derivative(Q2)));

Include(~S, G2Invariants(H));

end for;

Append(~Primes,p);

Append(~Size,#S);

end while;

Primes; Size;

The following code are the commands used in R to determine the polynomialregression that explains the size of G′p in function of p. Figure 5.4 and Figure 5.5were made from this in R.

p <- c(13, 29, 37, 53, 61, 101, 109, 149, 157, 173, 181, 197, 229,

269, 277, 293, 317, 349, 373, 389, 397, 421, 461, 509, 541, 557,

613, 653, 661, 677, 701, 709, 733, 757, 773, 797, 821, 829, 853,

877, 941, 997, 1013)

size <- c(3, 18, 31, 78, 113, 448, 555, 1334, 1553, 2052, 2337, 2976,

4600, 7352, 7997, 9426, 11853, 15685, 19040, 21519, 22881, 27133,

35407, 47216, 56378, 61408, 81088, 97348, 100760, 107886, 119395,

123358, 135730, 148825, 157902, 172220, 187483, 192718, 208925,

225698, 275150, 323645, 337942)

sample1 <- data.frame(p, size)

fit2 <- lm( sample1$size ~ sample1$p + I(sample1$p^2) )

fit3 <- lm( sample1$size ~ sample1$p + I(sample1$p^2) + I(sample1$p^3) )

fit4 <- lm( sample1$size ~ sample1$p + I(sample1$p^2) + I(sample1$p^3)

+ I(sample1$p^4) )

fit5 <- lm( sample1$size ~ sample1$p + I(sample1$p^2) + I(sample1$p^3)

+ I(sample1$p^4) + I(sample1$p^5) )

summary(fit2)

summary(fit3)

summary(fit4)

summary(fit5)

anova(fit2,fit3)

anova(fit3,fit4)

pol2 <- function(x) fit2$coefficient[3]*x^2 + fit2$coefficient[2]*x +

fit2$coefficient[1]

pol3 <- function(x) fit3$coefficient[4]*x^3 + fit3$coefficient[3]*x^2 +

fit3$coefficient[2]*x + fit3$coefficient[1]

plot(sample1$p, sample1$size, xlab = "p", ylab = "Amount of vertices")

points(sample1$p, predict(fit2), type="l", col="red", lwd=2)

points(sample1$p, predict(fit3), type="l", col="blue", lwd=2)

pol2(2549)

pol3(2549)

pol2(5021)

pol3(5021)

p <- c(13, 29, 37, 53, 61, 101, 109, 149, 157, 173, 181, 197, 229,

269, 277, 293, 317, 349, 373, 389, 397, 421, 461, 509, 541, 557,

613, 653, 661, 677, 701, 709, 733, 757, 773, 797, 821, 829, 853,

877, 941, 997, 1013, 1709, 1997, 2549, 3877)

size <- c(3, 18, 31, 78, 113, 448, 555, 1334, 1553, 2052, 2337, 2976,

4600, 7352, 7997, 9426, 11853, 15685, 19040, 21519, 22881, 27133,

35407, 47216, 56378, 61408, 81088, 97348, 100760, 107886, 119395,

123358, 135730, 148825, 157902, 172220, 187483, 192718, 208925,

225698, 275150, 323645, 337942, 1370347, 2038341, 3724179, 10037558)

sample2 <- data.frame(p, size)

fit2b = lm( sample2$size ~ sample2$p + I(sample2$p^2) )

summary(fit2b)

pol2b <- function(x) fit2b$coefficient[3]*x^2 + fit2b$coefficient[2]*x +

60

A.4. HEURISTIC AMOUNT OF NONSINGULAR QUADRATIC SPLITTINGS

fit2b$coefficient[1]

plot(pol2b(1:3877), type=’l’, col="red", xlab="p", ylab = "Amount of vertices")

points(sample2$p, sample2$size)

A.4 Heuristic Amount of Nonsingular Quadratic

Splittings

The following Magma code calculates the percentage of singular quadratic splittingsfor primes up until p = 1013. For a single larger prime q one can just change thethird and forth line to p := q; and while p le q do respectively. Figure 5.6 wasmade in MATLAB from the output Primes and PercentageSuperspecials. Thecode is printed in a slightly smaller font as to avoid too much overflow while stillmaintaining readability.

Primes := [];

PercentageSuperspecials := [];

p := 3;

while p le 1000 do




AmountOfZeroes := [];


for m in [1..p^2] do

D := 0;

Zeroes := 0;

while D eq 0 do







if # Q ne 0 then


else

Q32 := <1,1>;

end if;


Q2 := Q21[1]*Q22[1];

Q3 := Q31[1]*Q32[1];


X := Matrix(F,3,3,Reverse(Coefficients(Q1)) cat

Reverse(Coefficients(Q2)) cat Reverse(Coefficients(Q3)));

else

X := Matrix(F,3,3,Reverse(Coefficients(Q1)) cat

Reverse(Coefficients(Q2)) cat [0] cat Reverse(Coefficients(Q3)));

end if;


end while;

k := LeadingCoefficient(HyperellipticPolynomials(H));

P1 := Q11[1];

P2 := Q12[1];

P3 := Q21[1];

P4 := Q22[1];

P5 := Q31[1];

P6 := Q32[1];


if Determinant(Matrix(F,3,3,Reverse(Coefficients(k*P1*P2)) cat Reverse(Coefficients(P3*P4)) cat

Reverse(Coefficients(P5*P6)))) eq 0 then Zeroes := Zeroes+1; end if;







61

A.5. EXPANDING PROPERTIES OF G′P























else


[0] cat Reverse(Coefficients(P5*P6)))) eq 0 then Zeroes := Zeroes+1; end if;





























end if;

Append(~AmountOfZeroes,Zeroes);

H := HyperellipticCurve(1/(D^3)*(Derivative(Q2)*Q3-Q2*Derivative(Q3))*

(Derivative(Q3)*Q1-Q3*Derivative(Q1))*

(Derivative(Q1)*Q2-Q1*Derivative(Q2)));

end for;

Append(~PercentageSuperspecials,&+AmountOfZeroes/#AmountOfZeroes*100.0/15.0);

Append(~Primes,p);

end while;

A.5 Expanding Properties of G′p

The following Magma code is used to check the distribution of ending vertices fromrandom walks in G′p. Figure 5.7 was made in MATLAB with the output fromuniformity.txt.

62

A.5. EXPANDING PROPERTIES OF G′P

p := 3;

while p le 150 do


S := {* *};




invars := {};

for n in [1..p^3] do

for m in [1..Ceiling(2*Log(p))] do

D := 0;

while D eq 0 do







if # Q ne 0 then


else

Q32 := <1,1>;

end if;


Q2 := Q21[1]*Q22[1];

Q3 := Q31[1]*Q32[1];




cat Reverse(Coefficients(Q3)));

else



cat [0] cat Reverse(Coefficients(Q3)));

end if;


end while;

H := HyperellipticCurve(1/(D^3)*



(Derivative(Q1)*Q2-Q1*Derivative(Q2)));

end for;

Include(~invars, G2Invariants(H));

Include(~S, G2Invariants(H));

end for;

distr := [];

for invar in invars do

Append(~distr, 100.0*Multiplicity(S, invar)/(p^3));

end for;

Write("uniformity.txt", p);

Write("uniformity.txt", Sort(distr));

print p;

end while;

63

A.6. HASH FUNCTION FROM G′P

A.6 Hash Function from G′p

The following Magma code calculates a hashed version of the message n in the graphG2128−275, while also keeping track of the runtime of the algorithm.

n := 123456;

t := Cputime();

N := [];

for i in [1..256] do

Append(~N, (n mod 8));

n div:= 8;

end for;

S := {1,2,3,4,5,6};

partitions := {};

for sub1 in Subsets(S,2) do

for sub2 in Subsets(S diff sub1,2) do

partitions join:={ {sub1, sub2, (S diff sub1) diff sub2} };

end for;

end for;

partitionsseq := [];

for parts in partitions do

partitionsseq cat:= [SetToSequence(parts)];

end for;

p := 2^128-275;




badsplit := {};

for i in N do

images := [];

f := HyperellipticPolynomials(H);

factor := Factorization(f); factor := [f[1] : f in factor];

k := LeadingCoefficient(HyperellipticPolynomials(H));

if #factor eq 5 then factor cat:= [R ! 1]; end if;

for parts in partitionsseq do

if # images le 8 then

g1 := &*[ factor[p] : p in parts[1] ];



D := 0;

if {Roots(g1),Roots(g2),Roots(g3)} ne badsplit then

if Degree(f) eq 6 then

D := Determinant(Matrix(F,3,3,Reverse(Coefficients(k*g1))

cat Reverse(Coefficients(g2))

cat Reverse(Coefficients(g3))));

elif Degree(g1) eq 1 then

D := Determinant(Matrix(F,3,3,[0] cat Reverse(Coefficients(k*g1))

cat Reverse(Coefficients(g2))


elif Degree(g2) eq 1 then


cat [0] cat Reverse(Coefficients(g2))


64

A.6. HASH FUNCTION FROM G′P

else


cat Reverse(Coefficients(g2)) cat

[0] cat Reverse(Coefficients(g3))));

end if;

if D ne 0 then

Append(~images, [g1,g2,g3,D]);

end if;

end if;

end if;

end for;

g := images[i+1];

D := F ! g[4];

P := (Derivative(g[2])*g[3]-g[2]*Derivative(g[3]))

*(Derivative(g[3])*g[1]-g[3]*Derivative(g[1]))

*(Derivative(g[1])*g[2]-g[1]*Derivative(g[2]))/(D^3);

H := HyperellipticCurve(P);

badsplit := {Roots(Derivative(g[2])*g[3]-g[2]*Derivative(g[3])),

Roots(Derivative(g[3])*g[1]-g[3]*Derivative(g[1])),

Roots(Derivative(g[1])*g[2]-g[1]*Derivative(g[2]))};

end for;

G2Invariants(H);

Cputime(t);

65

Index

G(p, l) graph, 13–14G2-invariants, 21Gp graph, 31G′p graph, 31–32j-invariant, 11n-torsion, 10, 20

divisor, 3

elliptic curve, 9ordinary, 11supersingular, 11

expander graph, 7

genus, 4genus two curve, 18

ordinary, 21supersingular, 21superspecial, 24

Grobner basis, 6

hash function, 6CGL hash function, 6–8

isogeny, 12, 21degree, 12

jacobian, 20superspecial, 24

quadratic splitting, 21–22singular, 23

Ramanujan graph, 7Richelot isogenies, 21–25

Weierstraß point, 18

zeta function, 5

66

ESAT/COSICKasteelpark Arenberg 10, bus 2452

3001 HEVERLEE, BELGIEtel. + 32 16 32 10 50fax + 32 16 32 19 69

www.kuleuven.be

a genus two variant of cgl hash functions · faculty of science a genus two variant of cgl hash...

Documents