Comprehensive Analysis and Implementation of Isogeny-Based Hash Functions

Comprehensive Analysis and Implementation of Isogeny-Based Hash Functions

This paper analyzes the security and performance of the isogeny-based hash functions. The isogeny-based hash function was first proposed by Charles, Goren, and Lauter, and is referred to as the CGL hash function. However, Lauter and Petit demonstrated that a collision could be found if the endomorph...

Full description

Saved in:
Bibliographic Details
Main Authors: Donghoe Heo, Jeonghwan Lee, Taehoon Kang, Suhri Kim, Seokhie Hong
Format: Article
Language:English
Published: IEEE 2024-01-01
Series:IEEE Access
Subjects:
Supersingular isogeny
provably secure hash
post-quantum cryptography
Online Access:https://ieeexplore.ieee.org/document/10743187/
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:This paper analyzes the security and performance of the isogeny-based hash functions. The isogeny-based hash function was first proposed by Charles, Goren, and Lauter, and is referred to as the CGL hash function. However, Lauter and Petit demonstrated that a collision could be found if the endomorphism ring of the starting curve is known. Subsequently, isogeny hash functions that mitigate the Lauter-Petit attack have been proposed. This paper analyzes three methods that counter the Lauter-Petit attack: the methods proposed by Panny, Zaman and Min, and Larsson. In particular, we propose a new isogeny-based hash function <monospace>SHH</monospace>, which exploits Panny&#x2019;s method with Hessian curves. We then analyze the security and performance of the proposed <monospace>SHH</monospace> along with the methods by Zaman and Min (<monospace>SCH</monospace>) and Larsson (<monospace>SLH</monospace>). More specifically, the security was analyzed in the context of the Lauter-Petit attack, collision resistance, and fault tolerance. The analysis in this paper shows that all three algorithms can counter the Lauter-Petit attack. However, for <monospace>SCH</monospace>, we demonstrated that collision pairs could be found with carelessly chosen parameters. This paper also provides guidelines for selecting parameters to make <monospace>SCH</monospace> collision-resistant. From a fault-tolerance perspective, <monospace>SCH</monospace> and <monospace>SLH</monospace> are not fault-tolerant. We also present the results of implementing the three algorithms in SageMath. The implementation results show that at the 128-bit security level, hashing a 256-bit message takes 0.130s for <monospace>SCH</monospace>, 0.125s for projective-<monospace>SLH</monospace>, and 0.162s for <monospace>SHH</monospace>. As can be seen from the implementation results, projective-<monospace>SLH</monospace> is the most efficient, while <monospace>SHH</monospace> performs slower due to the use of a larger finite field.
ISSN:2169-3536

Similar Items