par Castryck, Wouter;Decru, Thomas 
;Kutas, Péter;Laval, Abel ;Petit, Christophe ;Ti, Yan Bo
Référence Lecture notes in computer science, 16000 LNCS, page (167-200)
Publication Publié, 2025-01-01
;Kutas, Péter;Laval, Abel ;Petit, Christophe ;Ti, Yan BoRéférence Lecture notes in computer science, 16000 LNCS, page (167-200)
Publication Publié, 2025-01-01
Article révisé par les pairs
| Résumé : | Following Ibukiyama, Katsura and Oort, all principally polarized superspecial abelian surfaces over F¯p can be represented by a certain type of 2×2 matrix g, having entries in the quaternion algebra Bp,∞. We present a heuristic polynomial-time algorithm which, upon input of two such matrices g1,g2, finds a “connecting matrix” representing a polarized isogeny of smooth degree between the corresponding surfaces. Our algorithm should be thought of as a two-dimensional analog of the KLPT algorithm from 2014 due to Kohel, Lauter, Petit and Tignol for finding a connecting ideal of smooth norm between two given maximal orders in Bp,∞. The KLPT algorithm has proven to be a versatile tool in isogeny-based cryptography, and our analog has similar applications; we discuss two of them in detail. First, we show that it yields a polynomial-time solution to a two-dimensional analog of the so-called constructive Deuring correspondence: given a matrix g representing a superspecial principally polarized abelian surface, realize the latter as the Jacobian of a genus-2 curve (or, exceptionally, as the product of two elliptic curves if it concerns a product polarization). Second, we show that, modulo a plausible assumption, Charles–Goren–Lauter style hash functions from superspecial principally polarized abelian surfaces require a trusted set-up. Concretely, if the matrix g associated with the starting surface is known then collisions can be produced in polynomial time. We deem it plausible that all currently known methods for generating a starting surface indeed reveal the corresponding matrix. As an auxiliary tool, we present an efficient method for converting isogenies of powersmooth degree into the corresponding connecting matrix, a step for which a previous approach by Chu required super-polynomial (but sub-exponential) time. |
