Computing Isogenies between Montgomery Curves Using the Action of (0 - - PowerPoint PPT Presentation

Computing Isogenies between Montgomery Curves Using the Action of (0, 0)

Joost Renes

Radboud University, The Netherlands

9 April 2018

9 April 2018 1 / 11

Supersingular isogeny-based cryptography

◮ Proposed by Jao & De Feo [JF11] ◮ Submitted to NIST competition [Aza+17] (on Wednesday)

◮ SIDH (passive security) ◮ SIKE (active security)

◮ This talk: computing isogenies on curves with extra structure

9 April 2018 2 / 11

A graph-based protocol

Alice Bob

9 April 2018 3 / 11

A graph-based protocol

Alice Bob

9 April 2018 3 / 11

A graph-based protocol

24 24 Alice Bob

9 April 2018 3 / 11

A graph-based protocol

24 24 Alice Bob

9 April 2018 3 / 11

A graph-based protocol

24 66 24 41 Alice Bob

9 April 2018 3 / 11

A graph-based protocol

24 66 24 41 Alice Bob

9 April 2018 3 / 11

A graph-based protocol

24 66 41 24 41 66 Alice Bob

9 April 2018 3 / 11

A graph-based protocol

24 66 41 24 41 66 Alice Bob

9 April 2018 3 / 11

A graph-based protocol

24 66 41 48 24 41 66 48 Alice Bob

9 April 2018 3 / 11

Constructing graphs and walks using isogenies

9 April 2018 4 / 11

Constructing graphs and walks using isogenies

J66 J24 J41 J0 J40 J48 J17 Classes of supersingular elliptic curves

9 April 2018 4 / 11

Constructing graphs and walks using isogenies

J66 J24 J41 J0 J40 J48 J17 Classes of supersingular elliptic curves ℓ-isogeny φ

9 April 2018 4 / 11

Constructing graphs and walks using isogenies

ℓ-isogeny φ J0 J40 J48 J17 Classes of supersingular elliptic curves

9 April 2018 4 / 11

Constructing graphs and walks using isogenies

ℓ-isogeny φ J0 J40 J48 J17 Classes of supersingular elliptic curves (1) Φℓ(X, Y ) = X ℓ+1 + Y ℓ+1 + · · ·

9 April 2018 4 / 11

Constructing graphs and walks using isogenies

ℓ-isogeny φ (1) Φℓ(X, Y ) = X ℓ+1 + Y ℓ+1 + · · · E0 E40 E48 E17 Supersingular elliptic curves

9 April 2018 4 / 11

Constructing graphs and walks using isogenies

ℓ-isogeny φ (1) Φℓ(X, Y ) = X ℓ+1 + Y ℓ+1 + · · · (2) ℓ + 1 subgroups of order ℓ (V´ elu’s formulas) E0 E40 E48 E17 Supersingular elliptic curves

9 April 2018 4 / 11

Constructing graphs and walks using isogenies

ℓ-isogeny φ (1) Φℓ(X, Y ) = X ℓ+1 + Y ℓ+1 + · · · M0 M40 M48 M17 Supersingular Montgomery curves (2) ℓ + 1 subgroups of order ℓ (V´ elu’s formulas)

9 April 2018 4 / 11

Constructing graphs and walks using isogenies

ℓ-isogeny φ (1) Φℓ(X, Y ) = X ℓ+1 + Y ℓ+1 + · · · M0 M40 M48 M17 Supersingular Montgomery curves (2) ℓ + 1 subgroups of order ℓ (V´ elu’s formulas) (3) Costello–Hisil [CH17] for ℓ ≥ 3

9 April 2018 4 / 11

Constructing graphs and walks using isogenies

ℓ-isogeny φ (1) Φℓ(X, Y ) = X ℓ+1 + Y ℓ+1 + · · · M0 M40 M48 M17 Supersingular Montgomery curves (2) ℓ + 1 subgroups of order ℓ (V´ elu’s formulas) (3) Costello–Hisil [CH17] for ℓ ≥ 3 (Q1) Where do these formulas come from? (Q2) What about ℓ = 2?

9 April 2018 4 / 11

What is an isogeny..

(1) A morphism of curves MA(x, y) = 0

φ

− − − − − − − − − → MA′(x, y) = 0

9 April 2018 5 / 11

What is an isogeny..

(1) A morphism of curves MA(x, y) = 0

φ= f (x)

g(x) ,—

• −

− − − − − − − − → MA′(x, y) = 0

9 April 2018 5 / 11

What is an isogeny..

(1) A morphism of curves MA(x, y) = 0

φ= f (x)

g(x) ,—

• −

− − − − − − − − → MA′(x, y) = 0

9 April 2018 5 / 11

What is an isogeny..

(1) A morphism of curves MA(x, y) = 0

φ= f (x)

g(x) ,—

• −

− − − − − − − − → MA′(x, y) = 0 (2) A homomorphism of groups (x0, —)

• f (x0)

g(x0), —

• (x1, —)

(x2, —) ⊕ =

9 April 2018 5 / 11

What is an isogeny..

(1) A morphism of curves MA(x, y) = 0

φ= f (x)

g(x) ,—

• −

− − − − − − − − → MA′(x, y) = 0 (2) A homomorphism of groups (x0, —)

• f (x0)

g(x0), —

• (x1, —)

(x2, —) ⊕ =

• f (x1)

g(x1), —

• f (x2)

g(x2), —

• ⊕

=

9 April 2018 5 / 11

Describing f and g

Given an isogeny φ(x) =

• f (x)

g(x), —

• (1) A point ∞ such that φ : ∞ → ∞. Also

9 April 2018 6 / 11

Describing f and g

Given an isogeny φ(x) =

• f (x)

g(x), —

• (1) A point ∞ such that φ : ∞ → ∞. Also

(xT, —) → ∞ ⇐ ⇒ g(xT) = 0

9 April 2018 6 / 11

Describing f and g

Given an isogeny φ(x) =

• f (x)

g(x), —

• (1) A point ∞ such that φ : ∞ → ∞. Also

(xT, —) → ∞ ⇐ ⇒ g(xT) = 0 = ⇒ g(x) ≈

• T∈ker φ

(x − xT)

9 April 2018 6 / 11

Describing f and g

Given an isogeny φ(x) =

• f (x)

g(x), —

• (1) A point ∞ such that φ : ∞ → ∞. Also

(xT, —) → ∞ ⇐ ⇒ g(xT) = 0 = ⇒ g(x) ≈

• T∈ker φ

(x − xT) (2) A point Q ∈ MA such that f (xQ) = 0

9 April 2018 6 / 11

Describing f and g

Given an isogeny φ(x) =

• f (x)

g(x), —

• (1) A point ∞ such that φ : ∞ → ∞. Also

(xT, —) → ∞ ⇐ ⇒ g(xT) = 0 = ⇒ g(x) ≈

• T∈ker φ

(x − xT) (2) A point Q ∈ MA such that f (xQ) = 0 = ⇒ f (xT+Q) = 0 for all T ∈ ker φ

9 April 2018 6 / 11

Describing f and g

Given an isogeny φ(x) =

• f (x)

g(x), —

• (1) A point ∞ such that φ : ∞ → ∞. Also

(xT, —) → ∞ ⇐ ⇒ g(xT) = 0 = ⇒ g(x) ≈

• T∈ker φ

(x − xT) (2) A point Q ∈ MA such that f (xQ) = 0 = ⇒ f (xT+Q) = 0 for all T ∈ ker φ = ⇒ f (x) ≈

• T∈ker φ

(x − xT+Q)

9 April 2018 6 / 11

Isogeny structure

Theorem (sketch)

Let G ⊂ M( ¯ K) be a subgroup, Q / ∈ G and φ = f (x) g(x), —

• a separable isogeny such that ker φ = G and f (xQ) = 0. Then

f (x) = cf ·

• T∈G

(x − xT+Q) , g(x) =

• T∈G\∞

(x − xT) .

9 April 2018 7 / 11

Isogeny structure

Theorem (sketch)

Let G ⊂ M( ¯ K) be a subgroup, Q / ∈ G and φ = f (x) g(x), —

• a separable isogeny such that ker φ = G and f (xQ) = 0. Then

f (x) = cf ·

• T∈G

(x − xT+Q) , g(x) =

• T∈G\∞

(x − xT) .

◮ Generalizes when Q does not map to (0, —)

9 April 2018 7 / 11

Isogeny structure

Theorem (sketch)

Let G ⊂ M( ¯ K) be a subgroup, Q / ∈ G and φ = f (x) g(x), —

• a separable isogeny such that ker φ = G and f (xQ) = 0. Then

f (x) = cf ·

• T∈G

(x − xT+Q) , g(x) =

• T∈G\∞

(x − xT) .

◮ Generalizes when Q does not map to (0, —) ◮ Close connection between action of Q and isogeny!

9 April 2018 7 / 11

Application to Montgomery curves

This works perfectly for Montgomery curves! (1) A distinguished point Q = (0, 0) of order two (2) A very simple action (xT, —) + Q =

• 1

xT , —

• 9 April 2018

8 / 11

Application to Montgomery curves

This works perfectly for Montgomery curves! (1) A distinguished point Q = (0, 0) of order two (2) A very simple action (xT, —) + Q =

• 1

xT , —

• =

⇒ φ(x) =  x

• T∈G\∞

x · xT − 1 x − xT , —  

9 April 2018 8 / 11

Application to Montgomery curves

This works perfectly for Montgomery curves! (1) A distinguished point Q = (0, 0) of order two (2) A very simple action (xT, —) + Q =

• 1

xT , —

• =

⇒ φ(x) =  x

• T∈G\∞

x · xT − 1 x − xT , —   and A′ = π(A − 3σ), where π =

• T∈G\∞

xT , σ =

• T∈G\∞

xT − 1 xT

9 April 2018 8 / 11

Application to Montgomery curves

This works perfectly for Montgomery curves! (1) A distinguished point Q = (0, 0) of order two (2) A very simple action (xT, —) + Q =

• 1

xT , —

• =

⇒ φ(x) =  x

• T∈G\∞

x · xT − 1 x − xT , —   and A′ = π(A − 3σ), where π =

• T∈G\∞

xT , σ =

• T∈G\∞

xT − 1 xT for any subgroup not containing (0, 0), generalizing [CH17]

9 April 2018 8 / 11

Isogenies of degree two..

A curve has three points of order two, one of which is (0, 0) M0

9 April 2018 9 / 11

Isogenies of degree two..

A curve has three points of order two, one of which is (0, 0) ker = (0, 0) M0

9 April 2018 9 / 11

Isogenies of degree two..

A curve has three points of order two, one of which is (0, 0) M0

9 April 2018 9 / 11

Isogenies of degree two..

A curve has three points of order two, one of which is (0, 0) M0

9 April 2018 9 / 11

Isogenies of degree two..

A curve has three points of order two, one of which is (0, 0) M0 M1

9 April 2018 9 / 11

Isogenies of degree two..

A curve has three points of order two, one of which is (0, 0) M0 M1

9 April 2018 9 / 11

Isogenies of degree two..

A curve has three points of order two, one of which is (0, 0) ker = (0, 0) M0 M1

9 April 2018 9 / 11

Isogenies of degree two..

A curve has three points of order two, one of which is (0, 0) M0 M1 M2

9 April 2018 9 / 11

Isogenies of degree two..

A curve has three points of order two, one of which is (0, 0) M0 M1 M2

9 April 2018 9 / 11

Isogenies of degree two..

A curve has three points of order two, one of which is (0, 0) M0 M1 M2 M3

9 April 2018 9 / 11

Isogenies of degree two..

A curve has three points of order two, one of which is (0, 0) M0 M1 M2 M3

9 April 2018 9 / 11

Isogenies of degree two..

A curve has three points of order two, one of which is (0, 0) M0 M1 M2 M3 2×2-isogeny 4-isogeny Co-domain 4S 4S + a

9 April 2018 9 / 11

Isogenies of degree two..

A curve has three points of order two, one of which is (0, 0) M0 M1 M2 M3 2×2-isogeny 4-isogeny Co-domain 4S 4S + a Evaluate 8M + 12a 6M + 2S + 10a

9 April 2018 9 / 11

Other curve models..

◮ Apply to Tate Normal Form

◮ y 2 + axy + by = x3 + cx2 ◮ Point Q = (0, 0) of order ℓ

◮ For ℓ have b = c = 0 and

(xT, yT) + (0, 0) = −yT x2

T

, −yT x3

T

• .

Results (currently) not better than Montgomery!

◮ Other models..?

9 April 2018 10 / 11

Thanks for your attention! http://www.cs.ru.nl/~jrenes/

9 April 2018 11 / 11

References I

[Aza+17] Reza Azarderakhsh, Matthew Campagna, Craig Costello, Luca De Feo, Basil Hess, Amir Jalali, David Jao, Brian Koziel, Brian LaMacchia, Patrick Longa, Michael Naehrig, Joost Renes, Vladimir Soukharev and David Urbanik. Supersingular Isogeny Key Encapsulation – Submission to the NIST’s Post-Quantum Cryptography Standardization Process. Available at https: //csrc.nist.gov/CSRC/media/Projects/Post-Quantum- Cryptography/documents/round-1/submissions/SIKE.zip. 2017. [CH17] Craig Costello and H¨ useyin Hisil. “A Simple and Compact Algorithm for SIDH with Arbitrary Degree Isogenies”. In: Advances in Cryptology - ASIACRYPT 2017 - 23rd International Conference on the Theory and Applications of Cryptology and Information Security, Hong Kong, China, December 3-7, 2017, Proceedings, Part II. 2017, pp. 303–329.

9 April 2018 12 / 11

References II

[JF11] David Jao and Luca De Feo. “Towards Quantum-Resistant Cryptosystems from Supersingular Elliptic Curve Isogenies”. In: Post-Quantum Cryptography (PQCrypto 2011). Ed. by Bo-Yin Yang. Vol. 7071. Lecture Notes in Computer Science. Springer, 2011, pp. 19–34.

9 April 2018 13 / 11