Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp - PowerPoint PPT Presentation

Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe Petit ECC 2019 3 December 1 / 50

Motivation ◮ Isogeny based cryptography Another Look at “Provable Security” Neal Koblitz Dept. of Mathematics, Box 354350 Univ. of Washington, Seattle, WA 98195 U.S.A. is becoming more popular. koblitz@math.washington.edu Alfred J. Menezes Dept. of Combinatorics & Optimization Univ. of Waterloo, Waterloo, Ontario N2L 3G1 Canada ◮ More protocols are ajmeneze@uwaterloo.ca July 4, 2004 ∗ Abstract developed, and sometimes We give an informal analysis and critique of several typical “provable security” results. In some cases there are intuitive but convincing argu- ments for rejecting the conclusions suggested by the formal terminology and “proofs,” whereas in other cases the formalism seems to be consistent with common sense. We discuss the reasons why the search for mathemat- their security does not ically convincing theoretical evidence to support the security of public-key systems has been an important theme of researchers. But we argue that the theorem-proof paradigm of theoretical mathematics is often of limited relevance here and frequently leads to papers that are confusing and mis- leading. Because our paper is aimed at the general mathematical public, it is self-contained and as jargon-free as possible. reduce to existing problems. Key words . Cryptography, Public Key, Provable Security AMS subject classifications . 94A60, 68P25, 11T71 1 Introduction ◮ New ‘hard’ problems are Suppose that someone is using public-key cryptography to protect credit card numbers during online purchases, maintain confidentiality of medical records, or safeguard national security information. How can she be sure that the system is secure? What type of evidence could convince her that a malicious adversary could not somehow break into the system and learn her secret? At first glance it seems that this question has a straightforward answer. At therefore proposed. the heart of any public-key cryptosystem is a “one-way function” — a function § updated on July 16, 2004; October 25, 2004; March 31, 2005; and May 4, 2005 1 2 / 50

Outline ◮ (Very Brief) Introduction ◮ Reviewing Some Isogeny Problems ◮ Undeniable Signature Schemes ◮ Jao-Soukharev (2014) ◮ Srinath-Chandrasekaran (2018) ◮ Attack on the Computational Hardness Assumption ◮ Attack on the Signature Scheme 3 / 50

SIDH Protocol Parameters ◮ ℓ A , ℓ B small distinct primes ◮ e A , e B positive integers ◮ p = ℓ e A A ℓ e B B f ± 1 , p prime Fix a supersingular elliptic curve E defined over F p 2 and bases { P A , Q A } , { P B , Q B } of the ℓ e A A and ℓ e B B torsions of E , respectively. Alice chooses 0 < m A , n A < ℓ e A A . Bob chooses 0 < m B , n B < ℓ e B B . 4 / 50

SIDH Protocol Alice publishes E A , φ A ( P B ) , φ A ( Q B ) . Bob publishes E B , φ B ( P A ) , φ B ( Q A ) . E A = E / � [ m A ] P A + [ n A ] Q A � φ ′ φ A B E E AB φ B φ ′ A E B = E / � [ m B ] P B + [ n B ] Q B � 5 / 50

Outline ◮ (Very Brief) Introduction ◮ Reviewing Some Isogeny Problems ◮ Undeniable Signature Schemes ◮ Jao-Soukharev (2014) ◮ Srinath-Chandrasekaran (2018) ◮ Attack on the Computational Hardness Assumption ◮ Attack on the Signature Scheme 6 / 50

Problem Statements Supersingular Isogeny Computational Diffie-Hellman Problem (SSCDH) Given the curves E, E A , E B and the points φ A ( P B ) , φ A ( Q B ) , φ B ( P A ) and φ B ( Q A ) , find the j-invariant of E AB = E / � [ m A ] P A + [ n A ] Q A , [ m B ] P B + [ n B ] Q B � . 7 / 50

Problem Statements Modified SSCDH Problem (Modified SSCDH) Given E, E A , E B and ker( φ B ) , determine E AB up to isomorphism, i.e. find j ( E AB ) . 8 / 50

Problem Statements One-Sided Modified SSCDH Signing Oracle For fixed curves E , E A , E B , let O B be an oracle that solves MSSCDH for E A , E B ′ , ker( φ B ′ ) such that E B ′ is ◮ not isomorphic to E B , and ◮ ℓ e B B -isogenous to E . Problem (One-Sided MSSCDH) For fixed E, E A , E B , given O B , solve MSSCDH for E A , E B and ker( φ B ) . 9 / 50

One-Sided Modified SSCDH E φ B ′ φ A φ B E A E B E B ′ φ ′ φ ′ B A E AB φ ′ φ ′′ B ′ A E AB ′ Target Curve Oracle Output 10 / 50

Problem Statements One-More Modified SSCDH Signing Oracle For fixed curves E , E A let O A be an oracle that solves MSSCDH for E A , E B i , ker( φ B i ) upon input of E B i , ℓ e B B -isogenous to E . Problem (One-More MSSCDH) After making q queries to O A produce at least q + 1 distinct pairs of curves ( E B i , E AB i ) , where E AB i is the solution to MSSCDH for E A , E B i and ker ( φ B i ) , and E B i are ℓ e B B -isogenous to E for 1 ≤ i ≤ q + 1 . 11 / 50

Outline ◮ (Very Brief) Introduction ◮ Reviewing Some Isogeny Problems ◮ Undeniable Signature Schemes ◮ Jao-Soukharev (2014) ◮ Srinath-Chandrasekaran (2018) ◮ Attack on the Computational Hardness Assumption ◮ Attack on the Signature Scheme 12 / 50

Undeniable Signature Schemes ◮ Σ = { KeyGen , Sign , Check , Sim , π con , π dis } . ◮ KeyGen generates ( v k , s k ), a verification and signing key-pair. ◮ Sign ( s k , m ) = σ m . ◮ Check (( v k , m , σ ) , s k ) determines if σ is valid. ◮ Sim ( v k , m ) simulates a signature for m . ◮ π con , π dis are zero-knowledge interactive protocols. 13 / 50

Jao-Soukharev (2014) ◮ Let p be a prime of the form ℓ e A A ℓ e B B ℓ e C C · f ± 1. ◮ Fix a supersingular curve E over F p 2 , ◮ Fix bases { P i , Q i } of the ℓ e i i torsion of E for i ∈ { A , B , C } . ◮ Let H : { 0 , 1 } ∗ → Z be a cryptographic hash function. 14 / 50

Jao-Soukharev (2014) ◮ Public Parameters: p , E , H , { P i , Q i } i ∈{ A , B , C } . ◮ Signer’s Secret Key: m A , n A ∈ Z /ℓ e A A Z (or φ A : E → E A = E / � [ m A ] P A + [ n A ] Q A � ). ◮ Public Key: E A , φ A ( P C ) , φ A ( Q C ) 15 / 50

Jao-Soukharev (2014) Signing For message M : ◮ Compute E B = E / � P B + [ H ( M )] Q B � . φ A E E A φ B φ AB φ BA E B E AB ◮ Output σ = ( E AB , φ BA ( φ B ( P C )) , φ BA ( φ B ( Q C ))) . 16 / 50

Jao-Soukharev (2014) Confirmation/Disavowal ◮ The signer secretly chooses m C , n C ∈ Z /ℓ C Z and computes S C = [ m C ] P C + [ n C ] Q C . ϕ CA E C E AC ϕ CB ϕ ACB E BC E ABC ϕ BCA E C = E /⟨ S C ⟩, E BC = E B /⟨ ϕ B ( S C )⟩ E AC = E A /⟨ ϕ A ( S C )⟩, E ABC = E BC /⟨ ϕ CB ([ m A ] P A + [ n A ] Q A )⟩ 17 / 50

Jao-Soukharev (2014) Confirmation/Disavowal ◮ Given σ = { E σ , P σ , Q σ } , E σ C = E σ / � [ m c ] P σ + [ n C ] Q σ � Signer Verifier Commit: com = E C , E BC , E AC , E ABC , ker( φ CB ) com b ← $ { 0 , 1 } b if b = 0 , X = ker( φ C ) . if b = 1 , X = ker( φ CA ) . X Check E σ C = E ABC . 18 / 50

Jao-Soukharev (2014) Confirmation/Disavowal ◮ Given σ = { E σ , P σ , Q σ } , E σ C = E σ / � [ m c ] P σ + [ n C ] Q σ � 19 / 50

Srinath-Chandrasekaran (2018) Undeniable Blind Signatures φ A E E A φ A E E A φ B φ B φ AB E B E AB φ BA E B E AB ˆ φ BD φ ABD Figure: Verification requires that φ BDA E BD E BDA the signature curve is in the isomorphism class of E AB . Figure: Signing (with blindness) 20 / 50

Undeniable Signature Schemes ◮ Security Properties: ◮ Undeniability ◮ Unforgeability ◮ Invisibility 21 / 50

Undeniable Signature Schemes Security Properties Unforgeability ◮ The attacker has access to a signing oracle O . ◮ They can query the oracle polynomially many times with arbitrarily chosen messages m i . ◮ They must output valid ( m , σ ), where m � = m i . 22 / 50

Undeniable Signature Schemes Security Properties Invisibility ◮ The attacker has access to a signing oracle O . ◮ They can query the oracle polynomially many times with arbitrarily chosen messages m i . ◮ They then send m j � = m i to a challenger. ◮ The challenger returns σ c , either a simulated signature or a valid signature for m j . ◮ The attacker must decide if σ c is valid. 23 / 50

Security Proofs Jao-Soukharev Proof of Unforgeability and Invisibility [1] Given zero-knowledge confirmation and disavowal protocols, forging signatures is equivalent to OMSSCDH. Invisibility requires that after a polynomial number of queries to the signing oracle, an adversary cannot determine the validity of a signature. This problem is equivalent to OMSSCDH. [1] David Jao and Vladimir Soukharev. Isogeny-based quantum-resistant undeniablesignatures. InInternational Workshop on Post-Quantum Cryptography, pages 160–179. Springer, 2014. 24 / 50

Outline ◮ (Very Brief) Introduction ◮ Reviewing Some Isogeny Problems ◮ Undeniable Signature Schemes ◮ Jao-Soukharev (2014) ◮ Srinath-Chandrasekaran (2018) ◮ Attack on the Computational Hardness Assumption ◮ Attack on the Signature Scheme 25 / 50

An attack against OMSSCDH Problem (OMSSCDH) For fixed E, E A , E B , given an oracle, O , to solve MSSCDH for E A , E B ′ , ker( φ B ′ ) with E B ′ not isomorphic to E B and ℓ e B B -isogenous to E, solve MSSCDH for E A , E B and ker( φ B ) . E φ B ′ φ A φ B E A E B E B ′ φ ′ φ ′ B A E AB φ ′ φ ′′ B ′ A E AB ′ 26 / 50

An attack against OMSSCDH Theorem A solution to the OMSSCDH problem can be guessed with 1 probability ( ℓ B +1) ℓ B after a single query to the signing oracle. 27 / 50