International Association for Cryptologic Research

International Association
for Cryptologic Research


Supersingular Curves You can Trust

Andrea Basso , University of Birmingham
Giulio Codogni , Università degli Studi di Roma Tor Vergata
Deirdre Connolly , Zcash Foundation
Luca De Feo , IBM Research Europe
Tako Boris Fouotsa , EPFL
Guido Maria Lido , Università degli Studi di Roma Tor Vergata
Travis Morrison , Virginia Tech
Lorenz Panny , Academia Sinica
Sikhar Patranabis , IBM Research India
Benjamin Wesolowski , Univ. Bordeaux, INRIA
DOI: 10.1007/978-3-031-30617-4_14 (login may be required)
Search ePrint
Search Google
Presentation: Slides
Conference: EUROCRYPT 2023
Abstract: Generating a supersingular elliptic curve such that nobody knows its endomorphism ring is a notoriously hard task, despite several isogeny-based protocols relying on such an object. A trusted setup is often proposed as a workaround, but several aspects remain unclear. In this work, we develop the tools necessary to practically run such a distributed trusted-setup ceremony. Our key contribution is the first statistically zero-knowledge proof of isogeny knowledge that is compatible with any base field. To prove statistical ZK, we introduce isogeny graphs with Borel level structure and prove they have the Ramanujan property. Then, we analyze the security of a distributed trusted-setup protocol based on our ZK proof in the simplified universal composability framework. Lastly, we develop an optimized implementation of the ZK proof, and we propose a strategy to concretely deploy the trusted-setup protocol.
  title={Supersingular Curves You can Trust},
  author={Andrea Basso and Giulio Codogni and Deirdre Connolly and Luca De Feo and Tako Boris Fouotsa and Guido Maria Lido and Travis Morrison and Lorenz Panny and Sikhar Patranabis and Benjamin Wesolowski},