Failing to hash into supersingular isogeny graphs

TL;DR

This paper reviews various failed approaches to creating cryptographically secure hash functions into supersingular isogeny graphs, highlighting the significant challenges in producing hard supersingular curves without trusted authorities.

Contribution

It systematically documents multiple unsuccessful methods and obstacles in constructing hash functions into supersingular isogeny graphs, aiming to guide future research.

Findings

Multiple approaches have been attempted without success.

Challenges stem from the complexity of supersingular curve endomorphism rings.

The paper clarifies the difficulty of creating secure, trustless hash functions in this context.

Abstract

An important open problem in supersingular isogeny-based cryptography is to produce, without a trusted authority, concrete examples of "hard supersingular curves" that is, equations for supersingular curves for which computing the endomorphism ring is as difficult as it is for random supersingular curves. A related open problem is to produce a hash function to the vertices of the supersingular $\ell$-isogeny graph which does not reveal the endomorphism ring, or a path to a curve of known endomorphism ring. Such a hash function would open up interesting cryptographic applications. In this paper, we document a number of (thus far) failed attempts to solve this problem, in the hope that we may spur further research, and shed light on the challenges and obstacles to this endeavour. The mathematical approaches contained in this article include: (i) iterative root-finding for the supersingular polynomial; (ii) gcd's of specialized modular polynomials; (iii) using division polynomials to create small systems of equations; (iv) taking random walks in the isogeny graph of abelian surfaces; and (v) using quantum random walks.