Genus 2 Supersingular Isogeny Oblivious Transfer

Rams\`es Fern\`andez-Val\`encia

arxiv: 1907.00475 · v4 · pith:UBP6DKFLnew · submitted 2019-06-30 · 💻 cs.CR · math.AG

Genus 2 Supersingular Isogeny Oblivious Transfer

Rams\`es Fern\`andez-Val\`encia This is my paper

Pith reviewed 2026-05-25 12:07 UTC · model grok-4.3

classification 💻 cs.CR math.AG

keywords oblivious transferisogeniessupersingular abelian surfacesgenus 2post-quantum cryptographysecure two-party computation

0 comments

The pith

An oblivious transfer scheme can be built from isogenies of principally polarized supersingular abelian surfaces of genus 2.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper constructs an oblivious transfer protocol by lifting an existing isogeny-based construction from supersingular elliptic curves to principally polarized supersingular abelian surfaces of genus 2. The extension preserves the structure of the original protocol while operating in the higher-dimensional setting. A sympathetic reader would care because the scheme would supply a post-quantum candidate for secure two-party computation if the genus-2 isogeny problem is hard. The central object carrying the argument is the isogeny problem on these surfaces, which is assumed to hide the sender's choice bit from the receiver.

Core claim

We present an oblivious transfer scheme that extends the proposal made by Barreto, Oliveira and Benits, based in isogenies supersingular elliptic curves, to the setting of principally polarized supersingular abelian surfaces.

What carries the argument

The isogeny problem between principally polarized supersingular abelian surfaces of genus 2, used to mask the receiver's choice bit.

If this is right

The resulting protocol supplies a candidate for post-quantum oblivious transfer.
Security rests on the same style of hardness assumption used in the elliptic-curve version.
The construction works for any choice of the underlying finite field where such surfaces exist.
The protocol inherits the round complexity and message sizes of the original elliptic-curve scheme.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

If the genus-2 isogeny problem admits a reduction from the elliptic-curve version, the new scheme would inherit proven security reductions.
Implementations might exploit the richer endomorphism ring structure of genus-2 surfaces to improve efficiency.
The same lifting technique could be tested on other isogeny-based primitives such as key exchange.

Load-bearing premise

Finding an isogeny between two principally polarized supersingular abelian surfaces of genus 2 is computationally hard.

What would settle it

An efficient algorithm that, given two principally polarized supersingular abelian surfaces of genus 2, outputs an isogeny between them would break the security of the oblivious transfer scheme.

read the original abstract

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

This is a one-sentence claim of an OT extension to genus-2 supersingular abelian surfaces with no proof, reduction, parameters, or hardness argument supplied.

read the letter

The paper's contribution is the bare statement that the Barreto-Oliveira-Benits isogeny OT can be lifted to principally polarized supersingular abelian surfaces of genus 2. That direction is new relative to the cited elliptic-curve work; the algebraic objects (endomorphism rings of genus-2 surfaces, their isogeny graphs) are genuinely different and the extension is not automatic. Beyond the announcement itself, however, the manuscript contains no derivation, no security reduction, no concrete parameters, and no efficiency numbers. The central assumption—that the genus-2 isogeny problem is hard in the same sense as the elliptic-curve version—is left as an unexamined analogy. Without a reduction or even a sketch of why the problem does not become easier, the security claim rests on nothing visible. The text is therefore too thin to evaluate for correctness or practicality. A reader interested in post-quantum OT primitives would get no usable construction or evidence from it. This does not rise to the level that warrants referee time; an editor should desk-reject and invite a full version with proofs if the authors wish to pursue it.

Referee Report

2 major / 0 minor

Summary. The manuscript claims to construct an oblivious transfer scheme extending the Barreto-Oliveira-Benits isogeny-based OT from supersingular elliptic curves to principally polarized supersingular abelian surfaces of genus 2.

Significance. If supported by a valid security argument, the result would supply a new post-quantum OT primitive whose underlying hard problem has larger dimension than the elliptic-curve case; however, the manuscript supplies neither a reduction nor independent evidence that the genus-2 isogeny problem remains hard at the claimed security level, so the practical significance cannot be assessed from the given text.

major comments (2)

Abstract: the central claim is an existence statement for the genus-2 extension, yet the text supplies no derivation of the protocol, no security proof sketch, and no parameter choices; without these elements the claim cannot be verified.
Security analysis (throughout): the OT security rests on the computational hardness of the isogeny problem for principally polarized supersingular abelian surfaces of genus 2, but no reduction from the elliptic-curve isogeny problem, no genus-2-specific complexity argument, and no reference to independent evidence are provided.

Simulated Author's Rebuttal

2 responses · 1 unresolved

We thank the referee for the review and address the major comments point by point below.

read point-by-point responses

Referee: [—] Abstract: the central claim is an existence statement for the genus-2 extension, yet the text supplies no derivation of the protocol, no security proof sketch, and no parameter choices; without these elements the claim cannot be verified.

Authors: The manuscript describes the extension of the Barreto-Oliveira-Benits protocol to principally polarized supersingular abelian surfaces. We agree that the abstract and main text would benefit from an expanded summary of the derivation, an explicit security argument sketch, and concrete parameter choices. These will be added in the revision. revision: yes
Referee: [—] Security analysis (throughout): the OT security rests on the computational hardness of the isogeny problem for principally polarized supersingular abelian surfaces of genus 2, but no reduction from the elliptic-curve isogeny problem, no genus-2-specific complexity argument, and no reference to independent evidence are provided.

Authors: The proposed scheme's security is predicated on the computational hardness of the genus-2 supersingular isogeny problem as a direct extension of the elliptic-curve setting. No reduction to the elliptic-curve isogeny problem, genus-2-specific complexity analysis, or supporting references are present in the manuscript, and none can be supplied without additional research. revision: no

standing simulated objections not resolved

No reduction from the elliptic-curve isogeny problem, genus-2-specific complexity argument, or reference to independent evidence for hardness can be provided.

Circularity Check

0 steps flagged

No circularity; construction is an extension relying on an external hardness assumption with no self-referential reduction.

full rationale

The paper presents a direct extension of the Barreto-Oliveira-Benits OT protocol to principally polarized supersingular abelian surfaces of genus 2. Security is predicated on the computational hardness of the corresponding isogeny problem, which is asserted by analogy to the elliptic-curve case but without a reduction or new evidence supplied in the text. This is an unproven assumption rather than a derivation that collapses to its own inputs by construction. No equations, fitted parameters, self-citations that bear the central claim, or renamings of known results appear in the abstract or the described content. The scheme construction itself is independent of proving the hardness statement.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The central claim rests on the unproven hardness of the genus-2 supersingular isogeny problem and on the existence of a suitable isogeny-based OT construction that lifts from genus 1; neither is supplied with independent evidence in the abstract.

axioms (1)

domain assumption The computational supersingular isogeny problem remains hard when lifted from elliptic curves to principally polarized abelian surfaces of genus 2.
Invoked implicitly by the claim that the extension preserves security.

pith-pipeline@v0.9.0 · 5541 in / 1261 out tokens · 23437 ms · 2026-05-25T12:07:18.702428+00:00 · methodology

discussion (0)

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

IndisputableMonolith/Foundation/RealityFromDistinction.lean reality_from_one_distinction unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

We present an oblivious transfer scheme that extends the proposal made by Barreto, Oliveira and Benits, based in isogenies supersingular elliptic curves, to the setting of principally polarized supersingular abelian surfaces.

What do these tags mean?

matches: The paper's claim is directly supported by a theorem in the formal canon.
supports: The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends: The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses: The paper appears to rely on the theorem as machinery.
contradicts: The paper's claim conflicts with a theorem or certificate in the canon.
unclear: Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

18 extracted references · 18 canonical work pages · 3 internal anchors

[1]

arXiv:1805.06589v1 (2018)

Barreto, P., Oliveira, G., Benits, W.: Supersingular Iso geny Oblivious Transfer. arXiv:1805.06589v1 (2018)

work page arXiv 2018
[2]

Field of moduli and field of definition for curves of genus 2

Cardona, G., Quer, J.: Field of moduli and ﬁeld of deﬁnitio n for curves of genus 2. arXiv:math/0207015v1 (2002)

work page internal anchor Pith review Pith/arXiv arXiv 2002
[3]

Hash functions from superspecial genus-2 curves using Richelot isogenies

Castryck, W., Decru, T., Smith, B.: Hash functions from su perspecial genus-2 curves using Richelot isogenies. arXiv:1903.06451v1 (201 9)

work page internal anchor Pith review Pith/arXiv arXiv 1903
[4]

Journal of Cryptology 22(1), 93–113 (2009)

Charles, D.X., Lauter, K.E., Goren, E.Z.: Cryptographic Hash Functions from Expander Graphs. Journal of Cryptology 22(1), 93–113 (2009)

work page 2009
[5]

Journal of Mathematica l Cryptology 8(3): 209–247 (2015)

De Feo, L., Jao, D., Plˆ ut, J.: Towards quantum-resistantcryptosystems from super- singular elliptic curve isogenies. Journal of Mathematica l Cryptology 8(3): 209–247 (2015)

work page 2015
[6]

Cryptology ePrint Archive: Report 2018/824 (2018 )

De Feo, L., Galbraith, S.D.: SeaSign: Compact isogeny sig natures from class group actions. Cryptology ePrint Archive: Report 2018/824 (2018 )

work page 2018
[7]

Cryptolog y ePrint Archive: Report 2019/177 (2019)

Flynn, E.V., Bo Ti, Y.: Genus Two Cryptography. Cryptolog y ePrint Archive: Report 2019/177 (2019)

work page 2019
[8]

Galbraith, S.D.: Mathematics of public key cryptography . 1st edn. Cambridge Uni- versity Press, United Kingdom (2012)

work page 2012
[9]

Quantum Information Processing 17(10), 1–22 (2018)

Galbraith, S.D., Vercauteren, F.: Computational proble ms in supersingular elliptic curve isogenies. Quantum Information Processing 17(10), 1–22 (2018)

work page 2018
[10]

Goldreich, O.: Foundations of Cryptography: Volume 2, B asic Applications. 1st edn. Cambridge University Press, United States of America ( 2004)

work page 2004
[11]

Abelian surfaces of GL2-type as Jacobians of curves

Gonzalez, J., Guardia, J., Rotger, V.: Abelian Surfaces of GL2-type as Jacobians of Curves. arXiv:math/0409352v1 (2004)

work page internal anchor Pith review Pith/arXiv arXiv 2004
[12]

Hazay, C., Lindell, Y.: Eﬃcient Secure Two-Party Protoc ols: Techniques and Con- structions. 1st edn. Springer-Verlag, Germany (2010)

work page 2010
[13]

STOC ’88 Proceedings of the twentieth annual ACM symposium on Theory of computing, 2 0–31 (1988)

Kilian, J.: Founding crytpography on oblivious transfe r. STOC ’88 Proceedings of the twentieth annual ACM symposium on Theory of computing, 2 0–31 (1988)

work page 1988
[14]

Reprint edition

Lang, S.: Abelian Varieties. Reprint edition. Dover Pub lications, United States of America (2019)

work page 2019
[15]

In: Cornell, G., Silver man, J.H

Milne, J.S.: Abelian Varieties. In: Cornell, G., Silver man, J.H. (eds.) Arithmetic Geometry. Springer-Verlag, United States of America (1986 )

work page 1986
[16]

Aarhus Universitet Preprint Series 38 (1973)

Oort, F., Ueno, K.: Principally Polarized Abelian Varia ties of Dimension Two or Three are Jacobian Varieties. Aarhus Universitet Preprint Series 38 (1973)

work page 1973
[17]

JSIAM Letters 9, 29–32 (2017) 14 R

Tachibana, H., Takashima, K., Takagi, T.: Constructing an eﬃcient hash function from 3-isogenies. JSIAM Letters 9, 29–32 (2017) 14 R. Fern` andez-Val` encia

work page 2017
[18]

In Takagi, T., Wakayama, M., Tanaka, K., Kunihiro, N., Ki- moto, K., Duong, D.H

Takashima, K.: Eﬃcient Algorithms for Isogeny Sequence s and Their Crypto- graphic Applications. In Takagi, T., Wakayama, M., Tanaka, K., Kunihiro, N., Ki- moto, K., Duong, D.H. (eds.) Mathematical Modelling for Nex t-Generation Cryp- tography. Springer, Singapore (2018)

work page 2018

[1] [1]

arXiv:1805.06589v1 (2018)

Barreto, P., Oliveira, G., Benits, W.: Supersingular Iso geny Oblivious Transfer. arXiv:1805.06589v1 (2018)

work page arXiv 2018

[2] [2]

Field of moduli and field of definition for curves of genus 2

Cardona, G., Quer, J.: Field of moduli and ﬁeld of deﬁnitio n for curves of genus 2. arXiv:math/0207015v1 (2002)

work page internal anchor Pith review Pith/arXiv arXiv 2002

[3] [3]

Hash functions from superspecial genus-2 curves using Richelot isogenies

Castryck, W., Decru, T., Smith, B.: Hash functions from su perspecial genus-2 curves using Richelot isogenies. arXiv:1903.06451v1 (201 9)

work page internal anchor Pith review Pith/arXiv arXiv 1903

[4] [4]

Journal of Cryptology 22(1), 93–113 (2009)

Charles, D.X., Lauter, K.E., Goren, E.Z.: Cryptographic Hash Functions from Expander Graphs. Journal of Cryptology 22(1), 93–113 (2009)

work page 2009

[5] [5]

Journal of Mathematica l Cryptology 8(3): 209–247 (2015)

De Feo, L., Jao, D., Plˆ ut, J.: Towards quantum-resistantcryptosystems from super- singular elliptic curve isogenies. Journal of Mathematica l Cryptology 8(3): 209–247 (2015)

work page 2015

[6] [6]

Cryptology ePrint Archive: Report 2018/824 (2018 )

De Feo, L., Galbraith, S.D.: SeaSign: Compact isogeny sig natures from class group actions. Cryptology ePrint Archive: Report 2018/824 (2018 )

work page 2018

[7] [7]

Cryptolog y ePrint Archive: Report 2019/177 (2019)

Flynn, E.V., Bo Ti, Y.: Genus Two Cryptography. Cryptolog y ePrint Archive: Report 2019/177 (2019)

work page 2019

[8] [8]

Galbraith, S.D.: Mathematics of public key cryptography . 1st edn. Cambridge Uni- versity Press, United Kingdom (2012)

work page 2012

[9] [9]

Quantum Information Processing 17(10), 1–22 (2018)

Galbraith, S.D., Vercauteren, F.: Computational proble ms in supersingular elliptic curve isogenies. Quantum Information Processing 17(10), 1–22 (2018)

work page 2018

[10] [10]

Goldreich, O.: Foundations of Cryptography: Volume 2, B asic Applications. 1st edn. Cambridge University Press, United States of America ( 2004)

work page 2004

[11] [11]

Abelian surfaces of GL2-type as Jacobians of curves

Gonzalez, J., Guardia, J., Rotger, V.: Abelian Surfaces of GL2-type as Jacobians of Curves. arXiv:math/0409352v1 (2004)

work page internal anchor Pith review Pith/arXiv arXiv 2004

[12] [12]

Hazay, C., Lindell, Y.: Eﬃcient Secure Two-Party Protoc ols: Techniques and Con- structions. 1st edn. Springer-Verlag, Germany (2010)

work page 2010

[13] [13]

STOC ’88 Proceedings of the twentieth annual ACM symposium on Theory of computing, 2 0–31 (1988)

Kilian, J.: Founding crytpography on oblivious transfe r. STOC ’88 Proceedings of the twentieth annual ACM symposium on Theory of computing, 2 0–31 (1988)

work page 1988

[14] [14]

Reprint edition

Lang, S.: Abelian Varieties. Reprint edition. Dover Pub lications, United States of America (2019)

work page 2019

[15] [15]

In: Cornell, G., Silver man, J.H

Milne, J.S.: Abelian Varieties. In: Cornell, G., Silver man, J.H. (eds.) Arithmetic Geometry. Springer-Verlag, United States of America (1986 )

work page 1986

[16] [16]

Aarhus Universitet Preprint Series 38 (1973)

Oort, F., Ueno, K.: Principally Polarized Abelian Varia ties of Dimension Two or Three are Jacobian Varieties. Aarhus Universitet Preprint Series 38 (1973)

work page 1973

[17] [17]

JSIAM Letters 9, 29–32 (2017) 14 R

Tachibana, H., Takashima, K., Takagi, T.: Constructing an eﬃcient hash function from 3-isogenies. JSIAM Letters 9, 29–32 (2017) 14 R. Fern` andez-Val` encia

work page 2017

[18] [18]

In Takagi, T., Wakayama, M., Tanaka, K., Kunihiro, N., Ki- moto, K., Duong, D.H

Takashima, K.: Eﬃcient Algorithms for Isogeny Sequence s and Their Crypto- graphic Applications. In Takagi, T., Wakayama, M., Tanaka, K., Kunihiro, N., Ki- moto, K., Duong, D.H. (eds.) Mathematical Modelling for Nex t-Generation Cryp- tography. Springer, Singapore (2018)

work page 2018