Generating a supersingular elliptic curve such that nobody knows its endomorphism ring is notoriously hard task, despite several isogeny-based protocols relying on an object. A trusted setup often proposed as workaround, but aspects remain unclear. In this work, we develop the tools necessary to practically run distributed trusted-setup ceremony. Our key contribution first statistically zero-kn...

A curve over finite field is supersingular if its Jacobian is supersingular as an abelian variety. On the one hand, supersingular abelian varieties form the smallest (closed) stratum in the moduli space of abelian varieties, on the other the intersection of Jacobian locus and the stratification of moduli space is little known. Consequently it is very difficult to locate a family of supersingula...

We revisit theoretical background on OSIDH (Oriented Supersingular Isogeny Diffie-Hellman protocol), which is an isogeny-based key-exchange protocol proposed by Colò and Kohel at NutMiC 2019. give a proof of fundamental theorem for OSIDH. The was stated without proof. Furthermore, we consider parameters OSIDH, sufficient condition the to work, estimate size certain security level.

In this paper we describe how to efficiently implement pairing calculation on supersingular genus 2 curves over prime fields. We find that, contrary to the results reported in [8], pairing calculation on supersingular genus 2 curves over prime fields is efficient and a viable candidate for practical implementation. We also show how to eliminate divisions in an efficient manner when computing th...

Isogeny-based cryptography using supersingular elliptic curves — most prominently, the constructions of De Feo-Jao-Plut — is one of the few practical candidates for post-quantum public key cryptography. Its formidable security claim is earned through the continual exploration of quantum algorithms for ‘isogeny problems’ and the assessment of the threat they pose to supersingular isogeny-based c...

Let A be an abelian variety defined over a non-prime finite field Fq that has embedding degree k with respect to a subgroup of prime order r. In this paper we give explicit conditions on q, k, and r that imply that the minimal embedding field of A with respect to r is Fqk . When these conditions hold, the embedding degree k is a good measure of the security level of a pairing-based cryptosystem...

The decision-Diffie-Hellman problem (DDH) is a central computational problem in cryptography. It is already known that the Weil and Tate pairings can be used to solve many DDH problems on elliptic curves. A natural question is whether all DDH problems are easy on supersingular curves. To answer this question it is necessary to have suitable distortion maps. Verheul states that such maps exist, ...

We give an algorithm that constructs, on input of a prime power q and an integer t, a supersingular elliptic curve over Fq with trace of Frobenius t in case such a curve exists. If GRH holds true, the expected run time of our algorithm is e O((log q)). We illustrate the algorithm by showing how to construct supersingular curves of prime order. Such curves can readily be used for pairing based c...