20 years of isogeny based cryptography
play

20 years of isogeny-based cryptography Luca De Feo feat. Jean - PowerPoint PPT Presentation

Jan 20, 2023 •218 likes •1.07k views

20 years of isogeny-based cryptography Luca De Feo feat. Jean Kieffer, Benjamin Smith Universit Paris Saclay, UVSQ & Inria November 14, 2017, Elliptic Curve Cryptography, Nijmegen Slides online at http://defeo.lu/docet/ Overview

  1. 20 years of isogeny-based cryptography Luca De Feo feat. Jean Kieffer, Benjamin Smith Université Paris Saclay, UVSQ & Inria November 14, 2017, Elliptic Curve Cryptography, Nijmegen Slides online at http://defeo.lu/docet/

  2. Overview Isogenies 1 Isogeny graphs in cryptography 2 Recent work 3 Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 2 / 49

  3. Elliptic curves Let E ✿ y 2 ❂ x 3 ✰ ax ✰ b be an elliptic curve... R Q P P ✰ Q Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 3 / 49

  4. Elliptic curves Let E ✿ y 2 ❂ x 3 ✰ ax ✰ b be an elliptic curve...forget it! R Q P P ✰ Q Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 3 / 49

  5. ✰ ✰ Elliptic curves Let ✦ 1 ❀ ✦ 2 ✷ ❈ be linearly independent complex numbers. Set ✄ ❂ ✦ 1 ❩ ✟ ✦ 2 ❩ ✦ 2 ❈ ❂ ✄ is an ❈ ❂ ✄ elliptic curve. ✦ 1 Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 4 / 49

  6. ✰ ✦ ❈ ❂ ✄ ✰ ✦ Elliptic curves Addition law induced by addition on ❈ . b a Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 4 / 49

  7. ✦ ❈ ❂ ✄ ✰ ✦ Elliptic curves Addition law induced by a ✰ b addition on ❈ . b a Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 4 / 49

  8. ✦ ❈ ❂ ✄ ✰ ✦ Elliptic curves Addition law induced by a ✰ b addition on ❈ . b a Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 4 / 49

  9. ✰ ✦ ❈ ❂ ✄ ✦ Elliptic curves Addition law induced by addition on ❈ . b a a ✰ b Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 4 / 49

  10. ❬ ❪ ❬ ❪ Multiplication a Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 5 / 49

  11. ❬ ❪ Multiplication ❬ 3 ❪ a a Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 5 / 49

  12. ❬ ❪ Multiplication ❬ 3 ❪ a a Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 5 / 49

  13. Torsion subgroups The ❵ -torsion subgroup is made up by the points ✒ i ✦ 1 ✓ ❵ ❀ j ✦ 2 ❵ It is a group of rank two E ❬ ❵ ❪ ❂ ❤ a ❀ b ✐ b ✬ ✭ ❩ ❂❵ ❩ ✮ 2 a Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 6 / 49

  14. Isogenies Let a ✷ ❈ ❂ ✄ 1 be an ❵ -torsion point, and let ✄ 2 ❂ a ❩ ✟ ✄ 1 Then ✄ 1 ✚ ✄ 2 and we define a degree ❵ cover p ✣ ✿ ❈ ❂ ✄ 1 ✦ ❈ ❂ ✄ 2 ✣ is a morphism of complex Lie a groups and is called an isogeny. Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 7 / 49

  15. Isogenies Let a ✷ ❈ ❂ ✄ 1 be an ❵ -torsion point, and let ✄ 2 ❂ a ❩ ✟ ✄ 1 Then ✄ 1 ✚ ✄ 2 and we define a degree ❵ cover p ✣ ✿ ❈ ❂ ✄ 1 ✦ ❈ ❂ ✄ 2 ✣ is a morphism of complex Lie a groups and is called an isogeny. Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 7 / 49

  16. Isogenies Let a ✷ ❈ ❂ ✄ 1 be an ❵ -torsion point, and let ✄ 2 ❂ a ❩ ✟ ✄ 1 Then ✄ 1 ✚ ✄ 2 and we define a degree ❵ cover p ✣ ✿ ❈ ❂ ✄ 1 ✦ ❈ ❂ ✄ 2 ✣ is a morphism of complex Lie a groups and is called an isogeny. Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 7 / 49

  17. Isogenies Taking a point b not in the kernel of ✣ , we obtain a new degree ❵ cover ❫ ✣ ✿ ❈ ❂ ✄ 2 ✦ ❈ ❂ ✄ 3 The composition ❫ ✣ ✍ ✣ has degree ❵ 2 p and is homothetic to the b multiplication by ❵ map. ❫ ✣ is called the dual isogeny of ✣ . Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 7 / 49

  18. Isogenies Taking a point b not in the kernel of ✣ , we obtain a new degree ❵ cover ❫ ✣ ✿ ❈ ❂ ✄ 2 ✦ ❈ ❂ ✄ 3 The composition ❫ ✣ ✍ ✣ has degree ❵ 2 p and is homothetic to the b multiplication by ❵ map. ❫ ✣ is called the dual isogeny of ✣ . Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 7 / 49

  19. Isogenies Taking a point b not in the kernel of ✣ , we obtain a new degree ❵ cover ❫ ✣ ✿ ❈ ❂ ✄ 2 ✦ ❈ ❂ ✄ 3 The composition ❫ ✣ ✍ ✣ has degree ❵ 2 and is homothetic to the b multiplication by ❵ p map. ❫ ✣ is called the dual isogeny of ✣ . Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 7 / 49

  20. Isogenies over arbitrary fields Isogenies are just the right notion of morphism for elliptic curves Surjective group morphisms. Algebraic maps (i.e., defined by polynomials). (Separable) isogenies ✱ finite subgroups: ✦ E ✵ ✦ 0 ✣ 0 ✦ H ✦ E The kernel H determines the image curve E ✵ up to isomorphism def ❂ E ✵ ✿ E ❂ H Isogeny degree Neither of these definitions is quite correct, but they nearly are: The degree of ✣ is the cardinality of ❦❡r ✣ . (Bisson) the degree of ✣ is the time needed to compute it. Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 8 / 49

  21. Easy and hard problems In practice: an isogeny ✣ is just a rational fraction (or maybe two) x n ✰ ✁ ✁ ✁ ✰ n 1 x ✰ n 0 N ✭ x ✮ with n ❂ ❞❡❣ ✣❀ D ✭ x ✮ ❂ ✷ k ✭ x ✮ ❀ x n � 1 ✰ ✁ ✁ ✁ ✰ d 1 x ✰ d 0 and D ✭ x ✮ vanishes on ❦❡r ✣ . ⑦ Vélu’s formulas ❖ ✭ n ✮ Input: A generator of the kernel H of the isogeny. Output: The curve E ❂ H and the rational fraction N ❂ D . The explicit isogeny problem Input: The curves E and E ❂ H , the degree n . Output: The rational fraction N ❂ D . Algorithms a ⑦ Elkies’ algorithm (and variants); ❖ ✭ n ✮ ⑦ Couveignes’ algorithm (and variants). ❖ ✭ n 2 ✮ a Elkies 1998; Couveignes 1996. Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 9 / 49

  22. Easy and hard problems Isogeny evaluation Input: A description of the isogeny ✣ , a point P ✷ E ✭ k ✮ . Output: The curve E ❂ H and ✣ ✭ P ✮ . Examples Input = rational fraction; O ✭ n ✮ ⑦ Input = composition of low degree isogenies; ❖ ✭❧♦❣ n ✮ The isogeny walk problem O ✭❄❄✮ Input: Isogenous curves E , E ✵ . Output: A path of low degree isogenies from E to E ✵ . Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 10 / 49

  23. Easy and hard problems Isogeny evaluation Input: A description of the isogeny ✣ , a point P ✷ E ✭ k ✮ . Output: The curve E ❂ H and ✣ ✭ P ✮ . Examples Input = rational fraction; O ✭ n ✮ ⑦ Input = composition of low degree isogenies; ❖ ✭❧♦❣ n ✮ The isogeny walk problem O ✭❄❄✮ Input: Isogenous curves E , E ✵ . Output: A path of low degree isogenies from E to E ✵ . Exponential separation... Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 10 / 49

  24. Easy and hard problems Isogeny evaluation Input: A description of the isogeny ✣ , a point P ✷ E ✭ k ✮ . Output: The curve E ❂ H and ✣ ✭ P ✮ . Examples Input = rational fraction; O ✭ n ✮ ⑦ Input = composition of low degree isogenies; ❖ ✭❧♦❣ n ✮ The isogeny walk problem O ✭❄❄✮ Input: Isogenous curves E , E ✵ . Output: A path of low degree isogenies from E to E ✵ . Exponential separation...Crypto happens! Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 10 / 49

  25. Isogeny graphs ✣ We look at the graph of elliptic curves with E ✵ E isogenies up to isomorphism. We say two isogenies ✣❀ ✣ ✵ are isomorphic if: ❡ ✣ ✵ E ✵ Example: Finite field, ordinary case, graph of isogenies of degree 3 . Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 11 / 49

  26. Structure of the graph 1 Theorem (Serre-Tate) Two curves are isogenous over a finite field k if and only if they have the same number of points on k . The graph of isogenies of prime degree ❵ ✻ ❂ p Ordinary case (isogeny volcanoes) Nodes can have degree 0 ❀ 1 ❀ 2 or ❵ ✰ 1 . ■ For ✘ 50 ✪ of the primes ❵ , graphs are just isolated points; ■ For other ✘ 50 ✪ , graphs are 2 -regular; ■ other cases only happen for finitely many ❵ ’s. Supersingular case The graph is ❵ ✰ 1 -regular. There is a unique (finite) connected component made of all supersingular curves with the same number of points. 1 Deuring 1941; Kohel 1996; Fouquet and Morain 2002. Luca De Feo (U Paris Saclay) 20 years of isogeny-based cryptography Nov 14, 2017 — ECC (Nijmegen) 12 / 49

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de

Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de

Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de lcole polytechnique (LIX) 1 Arithmetic of low-dimensional abelian varieties // ICERM // 6/6/19 Elliptic curve cryptography 1 Breaking keypairs

821 views • 57 slides
Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 18, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 18, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 18, 2019 Simula UiB, Bergen Slides online at https://defeo.lu/docet Why isogenies? Six families still in NIST post-quantum competition: Lattices 9

2k views • 172 slides
Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 28, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 28, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 28, 2019 NTNU, Trondheim Slides online at https://defeo.lu/docet Why isogenies? Six families still in NIST post-quantum competition: Lattices 9 encryption

1.95k views • 160 slides
Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South

Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South

Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South Florida FWIMD - February 9, 2019 The key exchange problem ALICE and BELLE, communicating over a public channel, want to agree on a common secret

499 views • 18 slides
Isogeny-Based Cryptography Tanja Lange (with lots of slides by Lorenz Panny) Eindhoven

Isogeny-Based Cryptography Tanja Lange (with lots of slides by Lorenz Panny) Eindhoven

Isogeny-Based Cryptography Tanja Lange (with lots of slides by Lorenz Panny) Eindhoven University of Technology 20 & 21 July 2020 DiffieHellman key exchange 76 Public parameters: a finite group G (traditionally F p , today

1.65k views • 118 slides
Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron

Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron

Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron Hutchinson and Koray Karabina Florida Atlantic University INDOCRYPT 2018 Acknowledgment: This research was supported by the Army Research Office

288 views • 18 slides
Isogeny-Based Public-Key Cryptography David Jao Department of Combinatorics & Optimization

Isogeny-Based Public-Key Cryptography David Jao Department of Combinatorics & Optimization

Isogeny-Based Public-Key Cryptography David Jao Department of Combinatorics & Optimization Centre for Applied Cryptographic Research June 17, 2016 CENTRE FOR APPLIED CRYPTOGRAPHIC RESEARCH (CACR) Motivation: Post-Quantum Cryptography

355 views • 16 slides
Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ March 18, 2019

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ March 18, 2019

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ March 18, 2019 Mathematical foundations of asymmetric cryptography Aussois, Savoie Slides online at https://defeo.lu/docet/ Overview Isogeny graphs 1 Elliptic Curves

1.96k views • 156 slides
An introduction to supersingular isogeny-based cryptography Craig Costello November 10 ECC 2017

An introduction to supersingular isogeny-based cryptography Craig Costello November 10 ECC 2017

An introduction to supersingular isogeny-based cryptography Craig Costello November 10 ECC 2017 Nijmegen, The Netherlands W. Castryck (GIF): Elliptic curves are dead: long live elliptic curves https://www.esat.kuleuven.be/cosic/?p=7404

1.07k views • 78 slides
Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ July 29 August 29,

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ July 29 August 29,

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ July 29 August 29, 2019 Cryptography meets Graph Theory Wrzburg, Franken, Germany Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29Aug 2,

1.99k views • 174 slides
isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8,

isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8,

An introduction to supersingular isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8, 2017 ibenik , Croatia T owards quantum-resistant cryptosystems from supersingular elliptic curve isogenies

1.46k views • 51 slides
Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe

Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe

Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe Petit ECC 2019 3 December 1 / 50 Motivation Isogeny based cryptography Another Look at Provable Security Neal Koblitz Dept. of

780 views • 61 slides
Isogeny graphs in cryptography: the good, the bad and the ugly Luca De Feo Universit Paris

Isogeny graphs in cryptography: the good, the bad and the ugly Luca De Feo Universit Paris

Isogeny graphs in cryptography: the good, the bad and the ugly Luca De Feo Universit Paris Saclay UVSQ May 13, 2019, Universit di Roma 3, Roma Slides online at https://defeo.lu/docet/ Elliptic curves Let E y 2 x 3 ax b

1.22k views • 76 slides
Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ & Inria March

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ & Inria March

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ & Inria March 1923, 2018, Post-Scryptum Spring School, Les 7 Laux Slides online at http://defeo.lu/docet/ Photo courtesy of Elisa Lorenzo-Garca Overview

1.87k views • 144 slides
Faster Isogeny-Based Compressed Key Agreement Gustavo H. M. Zanon, Marcos A. Simplicio Jr,

Faster Isogeny-Based Compressed Key Agreement Gustavo H. M. Zanon, Marcos A. Simplicio Jr,

Faster Isogeny-Based Compressed Key Agreement Gustavo H. M. Zanon, Marcos A. Simplicio Jr, Geovandro C. C. F. Pereira , Javad Doliskani, and Paulo S. L. M. Barreto. 1 REVI EW : SI DH AND COMPRESSED KEYS 2 Isogeny-based Crypto n SIDH:

856 views • 81 slides
Isogeny Graphs in Cryptography Luca De Feo hand-drawings by Rachel Deyts Universit de

Isogeny Graphs in Cryptography Luca De Feo hand-drawings by Rachel Deyts Universit de

Isogeny Graphs in Cryptography Luca De Feo hand-drawings by Rachel Deyts Universit de Versailles & Inria, Universit Paris-Saclay May 31, 2018, Journes du Pr-GDR Scurit, Paris Elliptic curves Let E y 2 x 3 ax b be

1.01k views • 73 slides
Coarse-Grained Transactions Eric Koskinen University of Cambridge 20 January 2010 Joint work

Coarse-Grained Transactions Eric Koskinen University of Cambridge 20 January 2010 Joint work

Coarse-Grained Transactions Eric Koskinen University of Cambridge 20 January 2010 Joint work with Matthew Parkinson, Maurice Herlihy Wednesday, 20 January 2010 Abstract Data Types global SkipList set; atomic { atomic { set.Add(3); if

979 views • 93 slides
a = b c . . . C ONTENT G ENERAL R ECURSION Intro & motivation, getting started with

a = b c . . . C ONTENT G ENERAL R ECURSION Intro & motivation, getting started with

L AST W EEK Constructive Logic & Curry-Howard-Isomorphism The Coq System NICTA Advanced Course The HOL4 system Before that: datatypes, recursion, induction Theorem Proving Slide 1 Slide 3 Principles, Techniques, Applications

898 views • 7 slides
LArTPC Testbeam: CAPTAIN and LArIAT Jason St. John, University of Cincinnati On behalf of the

LArTPC Testbeam: CAPTAIN and LArIAT Jason St. John, University of Cincinnati On behalf of the

LArTPC Testbeam: CAPTAIN and LArIAT Jason St. John, University of Cincinnati On behalf of the LArIAT Collaboration and for the CAPTAIN Collaboration NuFact 2015, Rio de Janeiro Outline miniCAPTAIN (neutrons) & LArIAT (charged species) -

677 views • 49 slides
Population pressures Outline Basic data 1. Malthusian theories 2. Demographic transitions 3.

Population pressures Outline Basic data 1. Malthusian theories 2. Demographic transitions 3.

Lecture notes on population and fertility Rajeev Dehejia Population pressures Outline Basic data 1. Malthusian theories 2. Demographic transitions 3. Demographic gifts and burdens 4. 11:09 am, Monday 10 April 2017 Population: %

789 views • 68 slides
Vulnerability Analysis (IV): Program Verifjcation Slide credit: Vijay Dawn Song DSilva

Vulnerability Analysis (IV): Program Verifjcation Slide credit: Vijay Dawn Song DSilva

Computer Security Course. Dawn Computer Security Course. Dawn Song Song Vulnerability Analysis (IV): Program Verifjcation Slide credit: Vijay Dawn Song DSilva Program Verifjcation Dawn Song Program Verifjcation How to prove a

768 views • 60 slides
BOMB: OUR ROLE AS EDUCATORS Ken Shain November 16, 2019 PRESENTOR Ken enneth eth S. Sha hain

BOMB: OUR ROLE AS EDUCATORS Ken Shain November 16, 2019 PRESENTOR Ken enneth eth S. Sha hain

DEFUSING THE RACE BOMB: OUR ROLE AS EDUCATORS Ken Shain November 16, 2019 PRESENTOR Ken enneth eth S. Sha hain Teacher & PD Facilitator, Minneapolis School District Teacher of the Year Nominee, 2017 MFT Local 59, Executive

946 views • 58 slides
The Memory-Tightness of Authenticated Encryption Stefano Tessaro Ashrujit Ghoshal Joseph Jaeger

The Memory-Tightness of Authenticated Encryption Stefano Tessaro Ashrujit Ghoshal Joseph Jaeger

The Memory-Tightness of Authenticated Encryption Stefano Tessaro Ashrujit Ghoshal Joseph Jaeger University of Washington CRYPTO 2020 Concrete security theorems: resources 1 0 resources Traditionally: time

402 views • 29 slides
Nested T ransactions in a Logical Language fo r Active Rules Bertram Lud ascher

Nested T ransactions in a Logical Language fo r Active Rules Bertram Lud ascher

Nested T ransactions in a Logical Language fo r Active Rules Bertram Lud ascher W olfgang Ma y Geo rg Lausen Institut f ur Info rmatik Universit at F reiburg Germany Overview Intro duction

314 views • 16 slides

More recommend