Log In Sign Up

Undeniable signatures based on isogenies of supersingular hyperelliptic curves

We present a proposal for an undeniable signature scheme based in supersingular hyperelliptic curves of genus 2.


page 1

page 2

page 3

page 4


Non-congruent non-degenerate curves with identical signatures

We construct examples of non-congruent, non-degenerate simple planar clo...

Genus 2 Supersingular Isogeny Oblivious Transfer

We present an oblivious transfer scheme that extends the proposal made b...

Classification of curves in 2D and 3D via affine integral signatures

We propose a robust classification algorithm for curves in 2D and 3D, un...

An Application of Nodal Curves

In this work, we present an efficient method for computing in the genera...

Systematization of Knowledge and Implementation: Short Identity-Based Signatures

Identity-Based signature schemes are gaining a lot of popularity every d...

Learning Curves for Analysis of Deep Networks

A learning curve models a classifier's test error as a function of the n...

1 Introduction

An undeniable signature is a digital signature scheme which allows the signer to be selective to whom they allow to verify signatures. The scheme adds explicit signature repudiation, preventing a signer later refusing to verify a signature by omission; a situation that would devalue the signature in the eyes of the verifier.

Currently, there exists some concern about the definition of cryptographic algorithms able to resist attacks using a quantum computer. Among the techniques presumably able to lead to quantum-resistant cryptographic schemes, we find the use of isogenies of supersingular elliptic curves, which has proved to be an interesting solution in the definition of key exchanges [5], digital signatures [6] and also has been explored in the definition of hash functions [4], [23] and oblivious transfer protocols [1].

As pointed out by [3], there is a general awareness that many proposals, such as the isogeny-based Diffie-Hellman key exchange, should be generalized to principally polarized abelian surfaces. Among the motivations that support the research based on isogenies of higher genus curves we find the fact that the genus isogeny graph is much regular than the graph in the genus setting and this gives the chance to achieve similar security levels with less isogeny computations together with the opportunity to perform better security analysis. Furthermore, as noted in [24], the number of -isogenies between elliptic curves is three whereas abelian surfaces have fifteen -isogenies, and this fact may improve the security of schemes using supersingular hyperelliptic curves.

This paper follows the philosophy in [3] and presents a proposal for a genus undeniable digital signature scheme based on the proposal in [16] and using the techniques developed in [8].

Concerning the structure of the document: the introduction is followed by the basics about the required mathematics (jacobians and Richelot isogenies, essentially) and undeniable signatures. Section 3 is devoted to the genus signature scheme, where we define the set-up, the key generation process and the signature procedure. The paper is closed with Section 4, devoted to the computationally complex problems involved in the security of the scheme, together with a few remarks on the correctness of our proposal.

2 Fundamentals

This section is devoted to the mathematical requirements for the correct understanding of the forthcoming sections of this paper. The main reference for abelian varieties is [20], whereas [8] is a very good reference for the study of the structure of the isogeny graph in the genus-2 framework.

2.1 Mathematical background

A Richelot isogeny is a -isogeny between jacobians of genus curves , that is: its kernel is isomorphic, as a group, to and is maximal isotropic with respect to the -Weil pairing.

Those familiar with isogeny graphs know that -invariants play a central role in the definition of the graph. In the genus context the role played by the -invariant is replaced with the so called -invariants [2]. The -invariants of a genus curve are absolute invariants that characterize the isomorphism class of the curve. Let be a genus curve and let , , , and denote the associated Igusa invariants, then the -invariants are defined as follows:


It is known (Chapter V, Section 13 [20]) that an ample divisor of an abelian variety defines an isogeny called a polarization of . If is an isomorphism, then the polarization is called principal, and is a principally polarized abelian variety. The degree of a polarization is its degree as an isogeny.

The following result, allows us to work with jacobians of hyperelliptic curves of genus :

Theorem 2.1 (Theorem 1 [8])

Given a prime and a finite field . If is a principally polarized abelian surface over , then:

  1. , where denotes the jacobian of some smooth (hyperelliptic) genus curve , or

  2. for some elliptic curves and .


The proof of (1) follows from Theorem 4 [22] whereas (2) is a direct consequence of Theorem 3.1 [13].

Another key ingredient is Proposition 1 [8] which proves the fact that isogenies with isotropic kernels preserve principal polarizations, what motivates using Richelot isogenies.

Proposition 1 (Proposition 1 [8])

Let be a hyperelliptic curve of genus over . Let be a finite, proper and -rational subgroup of . There exists a principally polarized abelian surface over and an isogeny with kernel generated by if, and only if, is a maximal -isotropic subgroup of for some positive integer .


The existence of follows immediately from Theorem 10.1 (Chapter VII, Section 10 [20]). In order to prove that it is in fact a principally polarized abelian surface, one defines a polarization on , which is equipped with a principal polarization . One gets a polarization on of degree using Theorem 16.8 and Remark 16.9 (Chapter V, Section 16 [20]).

2.2 Undeniable signatures

We follow Section 4.1 [16] in order to define an undeniable digital signature scheme as a tuple of algorithms

UDS = (KeyGen, Sign, Check, CON, DIS),

where the role of CON is for the signer to prove to the verifier that the signature is valid, whereas DIS allows a valid signer to prove to the verifier that the signature received is not valid.

The scheme must be both unforgeable and invisible, where unforgeability is described with the following game between a challenger and an adversary :

  1. The challenger generates a pair of keys and provides with .

  2. Given some and for , queries Sign adaptively with a message in order to obtain a signature .

  3. outputs a forgery .

The adversary is allowed to submit pairs to Check in step 2, which proceed as follows:

  1. If is a valid pair, then Check outputs a bit and proceeds with the execution of CON.

  2. Otherwise Check proceeds with the execution of DIS.

The adversary succeeds in producing a strong forgery if is valid and not among the pair generated during the queries in step 2

. The signature scheme is strongly unforgeable if the probability of

succeeding in producing a strong forgery is negligible for any probabilistic polynomial time adversary .

Concerning invisibility, it is defined through the following game between a challenger and an adversary:

  1. The challenger generates a pair of keys and provides with .

  2. The adversary is allowed to issue, adaptively, a series of signing queries to Sign and receive signatures .

  3. At some point, takes a message and sends it to the challenger.

  4. The challenger takes a random bit . If , the he computes the real signature for using . Otherwise he computes a fake signature for and sends it to .

  5. The adversary issues some more signing queries.

  6. At the end of the game, outputs a guess .

The adversary is allowed to submit pairs to Check adaptively in steps 2 and 5, but it is not allowed to submit the challenge to Check in step 5. Further, is not allowed to submit to Sign.

The signature scheme is invisible if no probabilistic polynomial time adversary has non-negligible advantage in this game.

For an undeniable signature to be secure, it is required to satisfy both unforgeability and invisibility. Furthermore, both CON and DIS must be complete, sound and zero-knowledge.

3 Genus 2 undeniable digital signature scheme

Here we define our undeniable digital signature scheme for supersingular hyperelliptic curves. The proposal relies heavily in the proposal made by Jao and Soukharev [16] using the techniques used by the author in [7].

3.1 Set-up

Let us consider a prime of the form where and are integers and is small. Fix a supersingular hyperelliptic curve of genus which can be found by thinking it as the double cover of a supersingular elliptic curve of genus . We then use a random sequence of Richelot isogenies to get a random principally polarized supersingular abelian surface. We also consider generating sets , and for , and , respectively. Finally, we take a hash function .

3.2 Key generation

The signer takes parameters following the techniques described in Section 3.2 [8] and computes an isogeny , with kernel


together with and the invariants . Then:

  • .

  • .

3.3 Signing

Let be the space of admitted messages. For a given message the signer computes the hash value . The signer also computes


together with the following isogenies and points:

  • .

  • .

  • .

  • .

  • .

The signature is defined as .

The following diagram provides a global view of the above calculations and of the signing procedure:


3.4 The algorithms CON and DIS

The algorithms CON and DIS are required when we need to prove that a received signature is valid or when the signer is required to prove that a signature is not valid, respectively. Both algorithms have a common part:

  1. The signer takes parameters , according to Section 3.2 [8], and computes:

    1. The isogeny whose kernel is given by

    2. The isogeny whose kernel is given by


      We observe that

    3. .

    4. The isogeny whose kernel is given by and

    5. .

  2. The signer outputs and as the commitment.

  3. The verifier takes a random bit .

We now describe the algorithm CON:

  • If : the signer sends . Using , the verifier computes . Using , the verifier computes . Using the digital signature, the verifier may compute and, with , the verifier can compute in order to check the commitment.

  • If : the signer sends and the verifier computes together with and checks that each and maps between the curves specified in the commitment.

Concerning DIS, let be a falsified version of and , for , be the falsified points corresponding to . Then:

  • If : the signer outputs and the verifier computes , , and , whose kernel is given by:

  • If : the signer outputs and the verifier computes and and checks that these isogenies map to .

4 Complexity and security

It is important to observe that the security analysis of the genus problems extends to our setting easily and so, those interested in further details are invited to read [10].

Let us consider a prime of the form , a supersingular hyperelliptic curve over and bases , and for , and respectively.

The following problems are assumed to be infeasible in a quantum setting:

Problem 1 (DSSI: Decisional supersingular isogeny problem)

Let be another supersingular hyperelliptic curve over with genus . Decide whether is -isogenous to .

Problem 2 (CSSI: Computational supersingular isogeny problem)

Let be a supersingular hyperelliptic curve over with genus . Let be an isogeny whose kernel is generated by


for some . Given and , find generators for .

Problem 3 (SSCDH: Supersingular computational Diffie-Hellman)

Let us consider an isogeny whose kernel is


for some and let whose kernel is


for some . Given and the jacobians , find the set associated to .

Problem 4 (SSDDH: Supersingular decision Diffie-Hellman)

Given a tuple sampled with probability from one of the following two distributions:

  1. , where , , , are as in Problem 3 and

  2. , where , , , are as in Problem 3 and , with

    where and are chosen following the criteria in Section 3.2 [8].

determine from which distribution the tuple sampled.

Problem 5 (DSSP: Decisional supersingular product)

Given an -isogeny and a tuple sampled with probability from one of the following two distributions:

  1. where the product is chosen at random among those -isogenous to and where is a random -isogeny, and

  2. where is chosen at random among those surfaces with the same cardinality as and is a random -isogeny,

determine which distribution the tuple is sampled.

Problem 6 (MSSCDH: Modified supersingular computational Diffie-Hellman)

Keeping the notations used in problem 4, given and , determine whether .

Problem 7 (MSSDDH: Modified supersingular decision Diffie-Hellman)

Keeping the notations used in problem 4, given and , determine .

Problem 8 (1MSSCDH: Modified supersingular computational Diffie-Hellman, one-sided version)

Given and an oracle to solve problem 6 for any , where , solve problem 6 for and .

Problem 9 (1MSSDDH: Modified supersingular decisional Diffie-Hellman, one-sided version)

Given and an oracle to solve problem 7 for any where , solve problem 7 for and .

4.1 Remarks on security: completeness, soundness, zero-knowledge, unforgeability and invisibility

Concerning the security of these algorithms, it is required to prove that both CON and DIS are complete, sound and zero-knowledge. We recall [11] that a verification system is complete if some prover is able to convince the verifier of true statements, whereas soundness describes the ability of the verifier to detect false statements.

When it comes to prove completeness, soundness and zero-knowledge for CON and DIS, we may use the reasoning in [16] having in mind that random integers are now replaced by scalars satisfying certain conditions that guarantee maximality and isotropicity. Furthermore, there is a subtlety concerning completeness for the DIS protocol: if contains subgroups such that , then would be a branch point in the covering space of the jacobian of the modular curve , which is hyperelliptic in a few specific cases [21]. Therefore the chance of being equal to such a jacobian is negligible.

In order to prove unforgeability and invisibility, we can use, again after adapting the methods for our genus-2 context, the reasonings of [16].


  • [1] Barreto, P., Oliveira, G., Benits, W.: Supersingular Isogeny Oblivious Transfer. arXiv:1805.06589v1 (2018)
  • [2] Cardona, G., Quer, J.: Field of moduli and field of definition for curves of genus 2. arXiv:math/0207015v1 (2002)
  • [3] Castryck, W., Decru, T., Smith, B.: Hash functions from superspecial genus-2 curves using Richelot isogenies. arXiv:1903.06451v1 (2019)
  • [4] Charles, D.X., Lauter, K.E., Goren, E.Z.: Cryptographic Hash Functions from Expander Graphs. Journal of Cryptology 22(1), 93–113 (2009)
  • [5] De Feo, L., Jao, D., Plût, J.: Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. Journal of Mathematical Cryptology 8(3): 209–247 (2015)
  • [6] De Feo, L., Galbraith, S.D.: SeaSign: Compact isogeny signatures from class group actions. Cryptology ePrint Archive: Report 2018/824 (2018)
  • [7] Fernàndez-València, R.: Genus Supersingular Isogeny Oblivious Transfer. Cryptology ePrint Archive: Report 2019/758 (2019)
  • [8] Flynn, E.V., Bo Ti, Y.: Genus Two Cryptography. Cryptology ePrint Archive: Report 2019/177 (2019)
  • [9] Galbraith, S.D.: Mathematics of public key cryptography. 1st edn. Cambridge University Press, United Kingdom (2012)
  • [10] Galbraith, S.D., Vercauteren, F.: Computational problems in supersingular elliptic curve isogenies. Quantum Information Processing 17(10), 1–22 (2018)
  • [11] Goldreich, O.: Foundations of Cryptography: Volume 1, Basic Techniques. Cambridge University Press, United Kingdom, United States of America (2004)
  • [12] Goldreich, O.: Foundations of Cryptography: Volume 2, Basic Applications. 1st edn. Cambridge University Press, United States of America (2004)
  • [13] Gonzalez, J., Guardia, J., Rotger, V.: Abelian Surfaces of -type as Jacobians of Curves. arXiv:math/0409352v1 (2004)
  • [14] Hazay, C., Lindell, Y.: Efficient Secure Two-Party Protocols: Techniques and Constructions. 1st edn. Springer-Verlag, Germany (2010)
  • [15] Ibrahim, S., Kamat, M., Salleh, M., Aziz S.R.A.: Secure E-voting with blind signature, 4th National Conference of Telecommunication Technology, 2003. NCTT 2003 Proceedings, Shah Alam, Malaysia (2003)
  • [16] Jao, D., Soukharev, V.: Isogeny-Based Quantum-Resistant Undeniable Signatures. In: Mosca M. (eds) Post-Quantum Cryptography. PQCrypto 2014. Lecture Notes in Computer Science, vol 8772. Springer, Cham (2014)
  • [17]

    Kilian, J.: Founding crytpography on oblivious transfer. STOC ’88 Proceedings of the twentieth annual ACM symposium on Theory of computing, 20–31 (1988)

  • [18] Kucharczyk, M.: Blind Signatures in Electronic Voting Systems. In: Kwiecień A., Gaj P., Stera P. (eds) Computer Networks. CN 2010. Communications in Computer and Information Science, vol 79. Springer, Berlin, Heidelberg (2010)
  • [19] Lang, S.: Abelian Varieties. Reprint edition. Dover Publications, United States of America (2019)
  • [20] Milne, J.S.: Abelian Varieties. In: Cornell, G., Silverman, J.H. (eds.) Arithmetic Geometry. Springer-Verlag, United States of America (1986)
  • [21] Ogg, A.P.: Hyperelliptic modular curves. Bulletin de la S. M. F., 102, 449 – 462 (1974)
  • [22] Oort, F., Ueno, K.: Principally Polarized Abelian Variaties of Dimension Two or Three are Jacobian Varieties. Aarhus Universitet Preprint Series 38 (1973)
  • [23] Tachibana, H., Takashima, K., Takagi, T.: Constructing an efficient hash function from 3-isogenies. JSIAM Letters 9, 29–32 (2017)
  • [24] Takashima, K.: Efficient Algorithms for Isogeny Sequences and Their Cryptographic Applications. In Takagi, T., Wakayama, M., Tanaka, K., Kunihiro, N., Kimoto, K., Duong, D.H. (eds.) Mathematical Modelling for Next-Generation Cryptography. Springer, Singapore (2018)