computing isogenies between montgomery curves using the
play

Computing Isogenies between Montgomery Curves Using the Action of (0 - PowerPoint PPT Presentation

Jul 02, 2023 •398 likes •972 views

Computing Isogenies between Montgomery Curves Using the Action of (0 , 0) Joost Renes Radboud University, The Netherlands 9 April 2018 9 April 2018 1 / 11 Supersingular isogeny-based cryptography Proposed by Jao & De Feo [JF11]

  1. Computing Isogenies between Montgomery Curves Using the Action of (0 , 0) Joost Renes Radboud University, The Netherlands 9 April 2018 9 April 2018 1 / 11

  2. Supersingular isogeny-based cryptography ◮ Proposed by Jao & De Feo [JF11] ◮ Submitted to NIST competition [Aza+17] ( on Wednesday ) ◮ SIDH (passive security) ◮ SIKE (active security) ◮ This talk: computing isogenies on curves with extra structure 9 April 2018 2 / 11

  3. A graph-based protocol Alice Bob 9 April 2018 3 / 11

  4. A graph-based protocol Alice Bob 9 April 2018 3 / 11

  5. A graph-based protocol 24 Alice 24 Bob 9 April 2018 3 / 11

  6. A graph-based protocol 24 Alice 24 Bob 9 April 2018 3 / 11

  7. A graph-based protocol 24 Alice 66 41 24 Bob 9 April 2018 3 / 11

  8. A graph-based protocol 24 Alice 66 41 24 Bob 9 April 2018 3 / 11

  9. A graph-based protocol 41 24 Alice 66 41 24 Bob 66 9 April 2018 3 / 11

  10. A graph-based protocol 41 24 Alice 66 41 24 Bob 66 9 April 2018 3 / 11

  11. A graph-based protocol 41 24 Alice 66 48 41 24 Bob 66 48 9 April 2018 3 / 11

  12. Constructing graphs and walks using isogenies 9 April 2018 4 / 11

  13. Constructing graphs and walks using isogenies J 41 J 24 J 0 J 66 J 17 J 48 J 40 Classes of supersingular elliptic curves 9 April 2018 4 / 11

  14. Constructing graphs and walks using isogenies J 41 J 24 J 0 J 66 J 17 J 48 J 40 ℓ -isogeny φ Classes of supersingular elliptic curves 9 April 2018 4 / 11

  15. Constructing graphs and walks using isogenies J 0 J 17 J 48 J 40 ℓ -isogeny φ Classes of supersingular elliptic curves 9 April 2018 4 / 11

  16. Constructing graphs and walks using isogenies Φ ℓ ( X , Y ) = X ℓ +1 + Y ℓ +1 + · · · (1) J 0 J 17 J 48 J 40 ℓ -isogeny φ Classes of supersingular elliptic curves 9 April 2018 4 / 11

  17. Constructing graphs and walks using isogenies Φ ℓ ( X , Y ) = X ℓ +1 + Y ℓ +1 + · · · (1) E 0 E 17 E 48 E 40 ℓ -isogeny φ Supersingular elliptic curves 9 April 2018 4 / 11

  18. Constructing graphs and walks using isogenies Φ ℓ ( X , Y ) = X ℓ +1 + Y ℓ +1 + · · · (1) (2) ℓ + 1 subgroups of order ℓ (V´ elu’s formulas) E 0 E 17 E 48 E 40 ℓ -isogeny φ Supersingular elliptic curves 9 April 2018 4 / 11

  19. Constructing graphs and walks using isogenies Φ ℓ ( X , Y ) = X ℓ +1 + Y ℓ +1 + · · · (1) (2) ℓ + 1 subgroups of order ℓ (V´ elu’s formulas) M 0 M 17 M 48 M 40 ℓ -isogeny φ Supersingular Montgomery curves 9 April 2018 4 / 11

  20. Constructing graphs and walks using isogenies Φ ℓ ( X , Y ) = X ℓ +1 + Y ℓ +1 + · · · (1) (2) ℓ + 1 subgroups of order ℓ (V´ elu’s formulas) (3) Costello–Hisil [CH17] for ℓ ≥ 3 M 0 M 17 M 48 M 40 ℓ -isogeny φ Supersingular Montgomery curves 9 April 2018 4 / 11

  21. Constructing graphs and walks using isogenies Φ ℓ ( X , Y ) = X ℓ +1 + Y ℓ +1 + · · · (1) (2) ℓ + 1 subgroups of order ℓ (V´ elu’s formulas) (3) Costello–Hisil [CH17] for ℓ ≥ 3 (Q1) Where do these formulas come from? (Q2) What about ℓ = 2 ? M 0 M 17 M 48 M 40 ℓ -isogeny φ Supersingular Montgomery curves 9 April 2018 4 / 11

  22. What is an isogeny.. (1) A morphism of curves φ M A ( x , y ) = 0 → M A ′ ( x , y ) = 0 − − − − − − − − − 9 April 2018 5 / 11

  23. What is an isogeny.. (1) A morphism of curves � f ( x ) � g ( x ) , — φ = M A ( x , y ) = 0 → M A ′ ( x , y ) = 0 − − − − − − − − − 9 April 2018 5 / 11

  24. What is an isogeny.. (1) A morphism of curves � f ( x ) � g ( x ) , — φ = M A ( x , y ) = 0 → M A ′ ( x , y ) = 0 − − − − − − − − − 9 April 2018 5 / 11

  25. What is an isogeny.. (1) A morphism of curves � f ( x ) � g ( x ) , — φ = M A ( x , y ) = 0 → M A ′ ( x , y ) = 0 − − − − − − − − − (2) A homomorphism of groups ( x 0 , —) ( x 1 , —) = ( x 2 , —) ⊕ � � f ( x 0 ) g ( x 0 ) , — 9 April 2018 5 / 11

  26. What is an isogeny.. (1) A morphism of curves � f ( x ) � g ( x ) , — φ = M A ( x , y ) = 0 → M A ′ ( x , y ) = 0 − − − − − − − − − (2) A homomorphism of groups ( x 0 , —) ( x 1 , —) = ( x 2 , —) ⊕ � � � � � � f ( x 0 ) f ( x 1 ) f ( x 2 ) = g ( x 0 ) , — g ( x 1 ) , — g ( x 2 ) , — ⊕ 9 April 2018 5 / 11

  27. Describing f and g � � f ( x ) Given an isogeny φ ( x ) = g ( x ) , — (1) A point ∞ such that φ : ∞ �→ ∞ . Also 9 April 2018 6 / 11

  28. Describing f and g � � f ( x ) Given an isogeny φ ( x ) = g ( x ) , — (1) A point ∞ such that φ : ∞ �→ ∞ . Also ( x T , —) �→ ∞ ⇐ ⇒ g ( x T ) = 0 9 April 2018 6 / 11

  29. Describing f and g � � f ( x ) Given an isogeny φ ( x ) = g ( x ) , — (1) A point ∞ such that φ : ∞ �→ ∞ . Also ( x T , —) �→ ∞ ⇐ ⇒ g ( x T ) = 0 � = ⇒ g ( x ) ≈ ( x − x T ) T ∈ ker φ 9 April 2018 6 / 11

  30. Describing f and g � � f ( x ) Given an isogeny φ ( x ) = g ( x ) , — (1) A point ∞ such that φ : ∞ �→ ∞ . Also ( x T , —) �→ ∞ ⇐ ⇒ g ( x T ) = 0 � = ⇒ g ( x ) ≈ ( x − x T ) T ∈ ker φ (2) A point Q ∈ M A such that f ( x Q ) = 0 9 April 2018 6 / 11

  31. Describing f and g � � f ( x ) Given an isogeny φ ( x ) = g ( x ) , — (1) A point ∞ such that φ : ∞ �→ ∞ . Also ( x T , —) �→ ∞ ⇐ ⇒ g ( x T ) = 0 � = ⇒ g ( x ) ≈ ( x − x T ) T ∈ ker φ (2) A point Q ∈ M A such that f ( x Q ) = 0 = ⇒ f ( x T + Q ) = 0 for all T ∈ ker φ 9 April 2018 6 / 11

  32. Describing f and g � � f ( x ) Given an isogeny φ ( x ) = g ( x ) , — (1) A point ∞ such that φ : ∞ �→ ∞ . Also ( x T , —) �→ ∞ ⇐ ⇒ g ( x T ) = 0 � = ⇒ g ( x ) ≈ ( x − x T ) T ∈ ker φ (2) A point Q ∈ M A such that f ( x Q ) = 0 = ⇒ f ( x T + Q ) = 0 for all T ∈ ker φ � = ⇒ f ( x ) ≈ ( x − x T + Q ) T ∈ ker φ 9 April 2018 6 / 11

  33. Isogeny structure Theorem (sketch) Let G ⊂ M ( ¯ K ) be a subgroup, Q / ∈ G and � f ( x ) � φ = g ( x ) , — a separable isogeny such that ker φ = G and f ( x Q ) = 0 . Then � � f ( x ) = c f · ( x − x T + Q ) , g ( x ) = ( x − x T ) . T ∈ G T ∈ G \∞ 9 April 2018 7 / 11

  34. Isogeny structure Theorem (sketch) Let G ⊂ M ( ¯ K ) be a subgroup, Q / ∈ G and � f ( x ) � φ = g ( x ) , — a separable isogeny such that ker φ = G and f ( x Q ) = 0 . Then � � f ( x ) = c f · ( x − x T + Q ) , g ( x ) = ( x − x T ) . T ∈ G T ∈ G \∞ ◮ Generalizes when Q does not map to (0 , —) 9 April 2018 7 / 11

  35. Isogeny structure Theorem (sketch) Let G ⊂ M ( ¯ K ) be a subgroup, Q / ∈ G and � f ( x ) � φ = g ( x ) , — a separable isogeny such that ker φ = G and f ( x Q ) = 0 . Then � � f ( x ) = c f · ( x − x T + Q ) , g ( x ) = ( x − x T ) . T ∈ G T ∈ G \∞ ◮ Generalizes when Q does not map to (0 , —) ◮ Close connection between action of Q and isogeny! 9 April 2018 7 / 11

  36. Application to Montgomery curves This works perfectly for Montgomery curves! (1) A distinguished point Q = (0 , 0) of order two � � 1 (2) A very simple action ( x T , —) + Q = x T , — 9 April 2018 8 / 11

  37. Application to Montgomery curves This works perfectly for Montgomery curves! (1) A distinguished point Q = (0 , 0) of order two � � 1 (2) A very simple action ( x T , —) + Q = x T , —   x · x T − 1 � = ⇒ φ ( x ) =  x , —  x − x T T ∈ G \∞ 9 April 2018 8 / 11

  38. Application to Montgomery curves This works perfectly for Montgomery curves! (1) A distinguished point Q = (0 , 0) of order two � � 1 (2) A very simple action ( x T , —) + Q = x T , —   x · x T − 1 � = ⇒ φ ( x ) =  x , —  x − x T T ∈ G \∞ and A ′ = π ( A − 3 σ ), where x T − 1 � � π = x T , σ = x T T ∈ G \∞ T ∈ G \∞ 9 April 2018 8 / 11

  39. Application to Montgomery curves This works perfectly for Montgomery curves! (1) A distinguished point Q = (0 , 0) of order two � � 1 (2) A very simple action ( x T , —) + Q = x T , —   x · x T − 1 � = ⇒ φ ( x ) =  x , —  x − x T T ∈ G \∞ and A ′ = π ( A − 3 σ ), where x T − 1 � � π = x T , σ = x T T ∈ G \∞ T ∈ G \∞ for any subgroup not containing (0 , 0), generalizing [CH17] 9 April 2018 8 / 11

  40. Isogenies of degree two.. A curve has three points of order two, one of which is (0 , 0) M 0 9 April 2018 9 / 11

  41. Isogenies of degree two.. A curve has three points of order two, one of which is (0 , 0) M 0 ker = ( 0 , 0 ) 9 April 2018 9 / 11

  42. Isogenies of degree two.. A curve has three points of order two, one of which is (0 , 0) M 0 9 April 2018 9 / 11

  43. Isogenies of degree two.. A curve has three points of order two, one of which is (0 , 0) M 0 9 April 2018 9 / 11

  44. Isogenies of degree two.. A curve has three points of order two, one of which is (0 , 0) M 0 M 1 9 April 2018 9 / 11

  45. Isogenies of degree two.. A curve has three points of order two, one of which is (0 , 0) M 0 M 1 9 April 2018 9 / 11

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Quantum-resistant Cryptography based on Isogenies between Elliptic Curves A Brief Survey Jo ao

Quantum-resistant Cryptography based on Isogenies between Elliptic Curves A Brief Survey Jo ao

Quantum-resistant Cryptography based on Isogenies between Elliptic Curves A Brief Survey Jo ao Paulo da Silva , Ricardo Dahab, Julio L opez Institute of Computing University of Campinas Latin American Week on Coding and Information

558 views • 32 slides
Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft

Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft

Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft Research 15 / 09 / 2011 (Nancy) 2 / 66 Outline 1 Isogenies on elliptic curves 2 Endomorphisms 3 Supersingular elliptic curves 4 Abelian varieties

1.84k views • 79 slides
Computing Cyclic Isogenies in Genus 2 with Applications in Cryptography Alina Dudeanu 1 Dimitar

Computing Cyclic Isogenies in Genus 2 with Applications in Cryptography Alina Dudeanu 1 Dimitar

Computing Cyclic Isogenies in Genus 2 with Applications in Cryptography Alina Dudeanu 1 Dimitar Jetchev 1 Damien Robert 2 1 EPF Lausanne 2 INRIA Bordeaux May 20, 2014 1/21 Introduction Elliptic and Hyperelliptic Curves Applications: Public key

1.13k views • 92 slides
Rational isogenies Computing rational isogenies from the equations of the kernel David Lubicz,

Rational isogenies Computing rational isogenies from the equations of the kernel David Lubicz,

Rational isogenies Computing rational isogenies from the equations of the kernel David Lubicz, Damien Robert Damien Robert Rational isogenies 2 1 Theta functions Complex abelian varieties Quasi-periodicity: Damien Robert Rational

734 views • 23 slides
Hash functions from superspecial genus-2 curves using Richelot isogenies Wouter Castryck, Thomas

Hash functions from superspecial genus-2 curves using Richelot isogenies Wouter Castryck, Thomas

Hash functions from superspecial genus-2 curves using Richelot isogenies Wouter Castryck, Thomas Decru , and Benjamin Smith NutMiC 2019, Paris June 24, 2019 Background 2006: hash functions based on supersingular elliptic curves (Charles,

564 views • 52 slides
Computing supersingular isogenies on Kummer surfaces Craig Costello ASIACRYPT December 6, 2018

Computing supersingular isogenies on Kummer surfaces Craig Costello ASIACRYPT December 6, 2018

Computing supersingular isogenies on Kummer surfaces Craig Costello ASIACRYPT December 6, 2018 Brisbane, Australia ECC vs. post-quantum ECC W. Castryck (GIF): https://www.esat.kuleuven.be/cosic/?p=7404 Alice 2 " -isogenies, Bob 3 $

766 views • 19 slides
Isogenies in a quantum world David Jao University of Waterloo September 19, 2011 Summary of

Isogenies in a quantum world David Jao University of Waterloo September 19, 2011 Summary of

Isogenies in a quantum world David Jao University of Waterloo September 19, 2011 Summary of main results A. Childs, D. Jao, and V. Soukharev, arXiv:1012.4019 For ordinary isogenous elliptic curves of equal endomorphism ring, we show (under

657 views • 36 slides
Jacobi Curves: Computing the Exact Topology of Arrangements of Non-Singular Algebraic Curves

Jacobi Curves: Computing the Exact Topology of Arrangements of Non-Singular Algebraic Curves

Jacobi Curves: Computing the Exact Topology of Arrangements of Non-Singular Algebraic Curves Nicola Wolpert Max-Planck-Institut f ur Informatik Stuhlsatzenhausweg 85 66123 Saarbr ucken, Germany nicola@mpi-sb.mpg.de March 26, 2003

255 views • 11 slides
Efficiently Computing Succinct Trade-off Curves Sergei Vassilvitskii Mihalis Yannakakis Outline

Efficiently Computing Succinct Trade-off Curves Sergei Vassilvitskii Mihalis Yannakakis Outline

Efficiently Computing Succinct Trade-off Curves Sergei Vassilvitskii Mihalis Yannakakis Outline Introduction Polynomial size trade off curves Construction of Pareto curves in 2-d Pareto curves in 3+ d Conclusion

622 views • 44 slides
Mappings of elliptic curves Benjamin Smith INRIA Saclay Ile-de-France & Laboratoire

Mappings of elliptic curves Benjamin Smith INRIA Saclay Ile-de-France & Laboratoire

Mappings of elliptic curves Benjamin Smith INRIA Saclay Ile-de-France & Laboratoire dInformatique de l Ecole polytechnique (LIX) Eindhoven, September 2008 Smith (INRIA & LIX) Isogenies of Elliptic Curves Eindhoven,

515 views • 28 slides
Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan

Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan

Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan Bisson, Romain Cosset, Alina Dudeanu, Sorina Ionica, Dimitar Jetchev, David Lubicz, Chloe Martindale, Enea Milio, Damien Robert , Marco Streng Isogenies

952 views • 67 slides
Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan

Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan

Isogenies, Polarisations and Real Multiplication 2015/09/29 ICERM Providence Gatan Bisson, Romain Cosset, Alina Dudeanu, Sorina Ionica, Dimitar Jetchev, David Lubicz, Chloe Martindale, Enea Milio, Damien Robert , Marco Streng Isogenies

896 views • 78 slides
Computing Equations of Curves with Many Points Virgile Ducet 1 Claus Fieker 2 1 Institut de

Computing Equations of Curves with Many Points Virgile Ducet 1 Claus Fieker 2 1 Institut de

Computing Equations of Curves with Many Points Virgile Ducet 1 Claus Fieker 2 1 Institut de Mathmatiques de Luminy 2 Fachbereich Mathematik Universitt Kaiserslautern Algorithmic Number Theory Symposium, July 2012 Motivation Let C / F q be a

410 views • 38 slides
1 Properties of Bzier Curves Important Algorithms for Bzier Curves Affine invariance Convex

1 Properties of Bzier Curves Important Algorithms for Bzier Curves Affine invariance Convex

Topics Parametric curves and surfaces Polynomial curves Advanced Modeling 2 Rational curves Katja Bhler, Andrej Varchola, Eduard Tensor product surfaces Grller Triangular surfaces Institute of Computer Graphics and Algorithms Vienna

78 views • 6 slides
Computing Hermitian Determinantal Representations of Plane Curves Cynthia Vinzant University of

Computing Hermitian Determinantal Representations of Plane Curves Cynthia Vinzant University of

Computing Hermitian Determinantal Representations of Plane Curves Cynthia Vinzant University of Michigan 0.2 2 0.0 1 0 0.2 1 0.4 2 0.6 1.5 1.0 0.5 0.0 0.5 1.0 1.5 2 1 0 1 2 joint with Daniel Plaumann, Rainer Sinn, and David

523 views • 41 slides
Computing genus 2 curves from invariants on the Hilbert moduli space Journal of Number Theory,

Computing genus 2 curves from invariants on the Hilbert moduli space Journal of Number Theory,

Computing genus 2 curves from invariants on the Hilbert moduli space Journal of Number Theory, Special Issue on Elliptic Curve Cryptography http://eprint.iacr.org/2010/294 Kristin Lauter, Microsoft Research Joint work with: Tonghai Yang,

421 views • 39 slides
Hardware Architectures for HECC Gabriel GALLIN and Arnaud TISSERAND CNRS Lab-STICC IRISA

Hardware Architectures for HECC Gabriel GALLIN and Arnaud TISSERAND CNRS Lab-STICC IRISA

Hardware Architectures for HECC Gabriel GALLIN and Arnaud TISSERAND CNRS Lab-STICC IRISA HAH Project CryptArchi June, 2017 Summary Context & Motivations HECC Operations Efficient Multiplier Architectures and Tools Conclusion

507 views • 33 slides
Rational Points on an Elliptic Curve Dr. Carmen Bruni University of Waterloo November 11th, 2015

Rational Points on an Elliptic Curve Dr. Carmen Bruni University of Waterloo November 11th, 2015

Rational Points on an Elliptic Curve Dr. Carmen Bruni University of Waterloo November 11th, 2015 Lest We Forget Dr. Carmen Bruni Rational Points on an Elliptic Curve Revisit the Congruent Number Problem Congruent Number Problem Determine

572 views • 31 slides
A Finite Field Example Over F p geometric pictures dont make sense. Example Let E : y 2 = x 3

A Finite Field Example Over F p geometric pictures dont make sense. Example Let E : y 2 = x 3

E LLIPTIC CURVES C RYPTOGRAPHY F RANCESCO P APPALARDI #3 - T HIRD L ECTURE . J UNE 18 TH 2019 WAMS S CHOOL : O I NTRODUCTORY TOPICS IN N UMBER T HEORY AND D IFFERENTIAL G EOMETRY King Khalid University Abha, Saudi Arabia A Finite Field Example

404 views • 13 slides
Bitcoin II & Introduction to Elliptic Curve Cryptography Sep. 11, 2019 Overview

Bitcoin II & Introduction to Elliptic Curve Cryptography Sep. 11, 2019 Overview

Bitcoin II & Introduction to Elliptic Curve Cryptography Sep. 11, 2019 Overview Bitcoin Transactions Elliptic Curve Cryptography Introduction Arithmetics Signature Bitcoin, the protocol A blockchain Each

992 views • 52 slides
2017.03.24 Yongsoo Song Contents Motivation The Learning with errors (LWE) Problem

2017.03.24 Yongsoo Song Contents Motivation The Learning with errors (LWE) Problem

2017.03.24 Yongsoo Song Contents Motivation The Learning with errors (LWE) Problem LWE-based Encryptions; Previous Works Our Scheme LWR Result and Conclusion Motivation Mot otiv ivation Contemporary Cryptography 1 2

541 views • 25 slides
Key Management and Distribution public-key encryption helps address key distribution problems

Key Management and Distribution public-key encryption helps address key distribution problems

Information System Security Chapter 10 Key Management; Other Public Key Cryptosystems Dr. Loai Tawalbeh Faculty of Information system and Technology, The Arab Academy for Banking and Financial Sciences. Jordan Dr. Loai Tawalbeh

128 views • 11 slides
Algorithms for finite field arithmetic ric Schost (joint with Luca De Feo & Javad

Algorithms for finite field arithmetic ric Schost (joint with Luca De Feo & Javad

Algorithms for finite field arithmetic ric Schost (joint with Luca De Feo & Javad Doliskani) Western University University of Waterloo July 9, 2015 Basics 2 / 30 Finite fields Definition A finite field is a field (a set with

750 views • 45 slides
Auxiliary structures in number theory Kiran S. Kedlaya Department of Mathematics University of

Auxiliary structures in number theory Kiran S. Kedlaya Department of Mathematics University of

Auxiliary structures in number theory Kiran S. Kedlaya Department of Mathematics University of California, San Diego kedlaya@ucsd.edu http://kskedlaya.org/slides/ Symposium for Undergraduates in the Mathematical Sciences Brown University

1.37k views • 57 slides

More recommend