Cryptographic Schemes Based on Isogenies Anton Stolbunov Trondheim, - - PowerPoint PPT Presentation

Cryptographic Schemes Based on Isogenies

Anton Stolbunov Trondheim, January 23, 2012

www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies

2 / 22

Outline

[Ch. 1] Introduction [Ch. 2] Constructing Cryptographic Schemes Based on Isogenies [Ch. 3] Security Reductions for Schemes Based on Group Action [Ch. 4] Improved Algorithm for the Isogeny Problem

www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies

3 / 22

Motivation for Research

— security of current asymmetric cryptographic schemes is decreasing (index calculus algorithms, Shor’s algorithm, etc.); — cryptographic schemes based on new hard computational problems are needed; — elliptic curves and imaginary quadratic fields are well studied and good algorithms are available.

www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies

4 / 22

Research Questions

• 1. How can isogenies between ordinary elliptic curves be used

for building cryptographic schemes? Which schemes can be built? What is the efficiency of such schemes?

• 2. On which computational problems does the security of the

proposed schemes depend?

• 3. What is the computational complexity of these problems?

www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies

5 / 22

Related Work: Cryptographic Schemes Based on Isogenies

[Teske 2003] key escrow system; [Rostovtsev et al. 2004] ordered digital signature scheme; [Rostovtsev, Stolbunov 2006] public-key encryption scheme; [Couveignes 2006] key agreement, authentication and Σ-protocols [Charles et al. 2009] hash using supersingular-curve isogenies; [Weiwei, Debiao 2010], [Debiao et al. 2011] authenticated key agreement protocols; [Jao, De Feo 2011] key agreement and public-key encryption using supersingular-curve isogenies.

www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies

6 / 22

Elliptic Curves

Let F be a field, char(F) = 2, 3. An elliptic curve E/F is a non-singular algebraic curve defined by Y 2 = X 3 + aX + b, where a and b lie in F. Let L ⊇ F be an extension field. E(L) := {points over L} ∪ {P∞} is called the group of points of E over L. j(E) := 1728 4a3 4a3 + 27b2 the j-invariant.

Example

E(F47): Y 2 = X 3 + X + 5

www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies

7 / 22

Isogenies

An isogeny φ from E1 to E2 is a (nonconstant) homomorphism φ : E1(F) → E2(F) that is given by rational functions.

Example (cont.)

E1/F47 : Y 2 = X 3 + X + 5, j(E1) = 27; E2/F47 : Y 2 = X 3 + 32X + 19, j(E2) = 24. φ: E1 → E2 (X, Y) → X 2 − 17X + 22 X − 17 , X 2 + 13X − 15 X 2 + 13X + 7 Y

• .

ker(φ) = {(17, 0), P∞}, deg(φ) = 2.

www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies

8 / 22

Class Group Action on j-Invariants in C

Let K be an imaginary quadratic field and OK its ring of integers. CL(OK) = {[a1], . . . , [ah]} ideal class group of OK. ELLσ(OK) := {j(a1), . . . , j(ah)} set of j-invariants of the fractional ideals of OK for a fixed embedding σ of K in C. The action ∗ of CL(OK) on ELLσ(OK) is defined as ∗: CL(OK) × ELLσ(OK) → ELLσ(OK) ([a], j(b)) → j(a−1b). H = K(j(OK)) Hilbert class field of K. All j(ai) lie in OH. p a prime ideal of OH above a prime p that splits completely in OH. Reduction modulo p maps the elements j(ai) to j-invariants of

• rdinary elliptic curves over OH/p ∼

= Fp.

www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies

9 / 22

Class Group Action on a Set of Isogenous Ordinary Elliptic Curves

ELLp,n(OK) := {j(E/Fp): #E(Fp) = n, End(E) ∼ = OK}. The group CL(OK) acts simply transitively on the set ELLp,n(OK).

Example (cont.)

E : Y 2 = X 3 + X + 5 over F47. j(E) = 27. EndF47(E) ∼ = O−152.

CL(O−152) Permutations on ELL47,42(O−152) g = [(3, 2, ·)] (27 12 15 24 41 19) g2 = [(6, 4, ·)] (27 15 41)(19 12 24) g3 = [(2, 0, ·)] (27 24)(19 15)(41 12) g4 = [(6, −4, ·)] (27 41 15)(19 24 12) g5 = [(3, −2, ·)] (27 19 41 24 15 12) g6 = [(1, 0, ·)] (27)(19)(41)(24)(15)(12) 27

• 12
• 19
• 15
• 41
• 24
• www.ntnu.no

Anton Stolbunov, Cryptographic Schemes Based on Isogenies

CONSTRUCTING CRYPTOGRAPHIC SCHEMES BASED ON ISOGENIES

(Chapter 2)

www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies

11 / 22

Key Agreement Protocol KA1

System parameters

Finite abelian group G acting by ∗ on a set X; an element x ∈ X.

The protocol (simplified)

A B Input: − Input: − a

R

← − G b

R

← − G mA ← a ∗ x mB ← b ∗ x mA

• mB
• kA ← a ∗ mB

kB ← b ∗ mA Output: kA Output: kB mA

b

• x

a

• b
• k

mB

a

• www.ntnu.no

Anton Stolbunov, Cryptographic Schemes Based on Isogenies

12 / 22

More Schemes Based on Group Action

— public-key encryption scheme PE; — authenticated key agreement protocols; — digital signature scheme; — secret-key encryption scheme; — no-key secret message transfer protocol; — commitment scheme.

www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies

13 / 22

Proposed Implementation Details for Schemes Based on Isogenies

— system parameter generation algorithm; — representation of elements of CL(OK); — efficient implementation of class group action on ELLp,n(OK). One action is O(log(p)5.3) bit operations; — random sampling from the class group; — pseudo-random sampling from a large class group.

www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies

14 / 22

Practical Implementation

Created an open-source package ClassEll for PARI/GP .

Average serial running time of one class group action

Security (bits) ⌈log p⌉ (bits) Time (seconds) 75 224 19 80 244 21 96 304 56 112 364 90 128 428 229

timings for Intel Core i7 920 @ 3.6 GHz

www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies

SECURITY REDUCTIONS

FOR SCHEMES BASED ON GROUP ACTION

(Chapter 3)

www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies

16 / 22

Computational Problems

An abelian group G acts by ∗ on a set X.

Problem (Group Action Inverse (GAIP))

Given x, y ∈ G ∗ x, find g such that g ∗ x = y. x

? y

Problem (Decisional Diffie-Hellman Group Action (DDHAP))

Given x, y, z, r ∈ G ∗ x, decide whether r = (ab) ∗ x for some a and b satisfying y = a ∗ x and z = b ∗ x. y

b

• x

a b

• k

? r

z

a

• Reducibility of Problems

Can solve GAIP = ⇒ can solve DDHAP .

www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies

17 / 22

Security Reductions

Theorem

If the DDHAP is hard, then the KA1 protocol is secure in the session-key authenticated-link model of Canetti and Krawczyk.

Theorem

If the DDHAP is hard and the hash function family is entropy smoothing, then the PE encryption scheme is IND-CPA secure (indistinguishability of encryptions in the chosen-plaintext attack).

www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies

IMPROVED ALGORITHM

FOR THE ISOGENY PROBLEM

(Chapter 4) Co-authored with Steven Galbraith

www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies

19 / 22

The Isogeny Problem

Problem (Isogeny Problem for Ordinary Elliptic Curves)

Let E1/Fq and E2/Fq be ordinary elliptic curves satisfying #E1(Fq) = #E2(Fq). Compute an Fq-isogeny φ : E1 → E2. Can solve IP with “comparable conductors” ⇐ ⇒ can solve CL-GAIP .

Exponential-Time Classical Algorithms

[Galbraith 1999] uses an O(√# ELL) database of elliptic curves; [Galbraith, Hess and Smart (GHS) 2002] use the parallel collision search algorithm. We improve the GHS algorithm.

Subexponential-Time Quantum Algorithm

[Childs, Jao and Soukharev 2010] use algorithms for the hidden shift problem.

www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies

20 / 22

Proposed GHS Improvement

Our idea

Modify the random walk on the isogeny graph such that lower-degree (i.e. faster) isogenies are used more often.

Results

— provided formulae for the expected running time of the parallel collision search with uneven partitioning, and its variance; — experimentally measured the average running time for various partitionings with ±0.1 % precision and 99.7 % confidence; — results apply to generic adding walks with uneven partitioning; — gave recommendations on frequencies of isogeny degrees; — asymptotic complexity of isogeny search is O

• q1/4+o(1) log2(q) log(log(q))
• perations in Fq.

www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies

21 / 22

Quantified Improvement over GHS

Expected time of an isogeny search over a 160-bit prime field using ClassEll on a single-core 2.67 GHz CPU, years

geometric progression ratio of partitioning # partitions 1 3/4 1/2 1/3 1/4 4 8708 6940 5429 4727 4690 5 6455 4495 2758 1925 1652 6 5514 3396 1755 1130 988 7 5068 2827 1334 904 858 8 4891 2530 1154 847 848 9 4930 2415 1093 842 856 10 5549 2548 1110 858 870 12 7409 2915 1157 891 903 14 9519 3255 1205 923 932 16 12200 3541 1242 949 955

Approximately 14× improvement over the GHS algorithm!

www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies

22 / 22

Conclusions

— many cryptographic schemes can be implemented using

• rdinary-curve isogenies;

— cryptographic operations are polynomial-time, but slower than contemporary alternatives; — exponential complexity of the isogeny problem in the pre-quantum world. Short keys and low bandwidth usage.

www.ntnu.no Anton Stolbunov, Cryptographic Schemes Based on Isogenies