csi fish efficient isogeny based signatures through class
play

CSI-FiSh: Efficient Isogeny based Signatures through Class Group - PowerPoint PPT Presentation

Nov 02, 2022 •328 likes •1.2k views

CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens Thorsten Kleinjung Frederik Vercauteren imec - COSIC December 3, 2019 Introduction : CSIDH [Castryck et al.] 1/34 Take the supersingular elliptic

  1. CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens Thorsten Kleinjung Frederik Vercauteren imec - COSIC December 3, 2019

  2. Introduction : CSIDH [Castryck et al.] 1/34 Take the supersingular elliptic curve E 0 : y 2 = x 3 + x mod p = 4 · 3 · 5 · . . . · 373 · 587 − 1 . Let O = End p ( E 0 ) ≃ Z ( √− p ) .

  3. Introduction : CSIDH [Castryck et al.] 1/34 Take the supersingular elliptic curve E 0 : y 2 = x 3 + x mod p = 4 · 3 · 5 · . . . · 373 · 587 − 1 . Let O = End p ( E 0 ) ≃ Z ( √− p ) . The class group cl ( O ) acts freely and transitively on a set of supersingular elliptic curves X = E ℓℓ p ( O , π ) .

  4. Introduction : CSIDH [Castryck et al.] 1/34 Take the supersingular elliptic curve E 0 : y 2 = x 3 + x mod p = 4 · 3 · 5 · . . . · 373 · 587 − 1 . Let O = End p ( E 0 ) ≃ Z ( √− p ) . The class group cl ( O ) acts freely and transitively on a set of supersingular elliptic curves X = E ℓℓ p ( O , π ) . 74 “simple” ideals whose action can be computed efficiently: l 1 = (3 , π − 1) , · · · , l 74 = (587 , π − 1)

  5. Introduction : CSIDH [Castryck et al.] 1/34 Take the supersingular elliptic curve E 0 : y 2 = x 3 + x mod p = 4 · 3 · 5 · . . . · 373 · 587 − 1 . Let O = End p ( E 0 ) ≃ Z ( √− p ) . The class group cl ( O ) acts freely and transitively on a set of supersingular elliptic curves X = E ℓℓ p ( O , π ) . 74 “simple” ideals whose action can be computed efficiently: l 1 = (3 , π − 1) , · · · , l 74 = (587 , π − 1) CSIDH-512: Efficient Post-Quantum Diffie-Hellman protocol based on this action. Reasonably fast ( ± 80 ms) and very small keys.

  6. Introduction : CSIDH [Castryck et al.] 1/34 Take the supersingular elliptic curve E 0 : y 2 = x 3 + x mod p = 4 · 3 · 5 · . . . · 373 · 587 − 1 . Let O = End p ( E 0 ) ≃ Z ( √− p ) . The class group cl ( O ) acts freely and transitively on a set of supersingular elliptic curves X = E ℓℓ p ( O , π ) . 74 “simple” ideals whose action can be computed efficiently: l 1 = (3 , π − 1) , · · · , l 74 = (587 , π − 1) CSIDH-512: Efficient Post-Quantum Diffie-Hellman protocol based on this action. Reasonably fast ( ± 80 ms) and very small keys. Can we do signatures ?

  7. Introduction : Seasign [De Feo, Galbraith] 2/34 [Rostovstev]: FS signatures from Graph Isomorphism-like identification scheme.

  8. Introduction : Seasign [De Feo, Galbraith] 2/34 [Rostovstev]: FS signatures from Graph Isomorphism-like identification scheme. problem: We cannot uniquely represent elements g = � 74 i =1 l e i i . ⇒ Signatures leak secret key.

  9. Introduction : Seasign [De Feo, Galbraith] 2/34 [Rostovstev]: FS signatures from Graph Isomorphism-like identification scheme. problem: We cannot uniquely represent elements g = � 74 i =1 l e i i . ⇒ Signatures leak secret key. solution: [SeaSign] Rejection sampling to prevent leakage. ⇒ Slow signing and large signatures (e.g. 17 min and 12 KB).

  10. Introduction : Seasign [De Feo, Galbraith] 2/34 [Rostovstev]: FS signatures from Graph Isomorphism-like identification scheme. problem: We cannot uniquely represent elements g = � 74 i =1 l e i i . ⇒ Signatures leak secret key. solution: [SeaSign] Rejection sampling to prevent leakage. ⇒ Slow signing and large signatures (e.g. 17 min and 12 KB). Can we do better ?

  11. Introduction: CSI-FiSh 3/34 We compute the structure of cl ( O ) : It is cyclic of order N =3 · 37 · 1407181 · 51593604295295867744293584889 · 31599414504681995853008278745587832204909 and generated by g = l 1 = (3 , π − 1) . We can uniquely represent elements of cl ( O ) as g a with a ∈ Z /N Z . CSI-FiSh: Isogeny signatures without rejection sampling ⇒ Much more efficient (e.g. 335 ms min and 2 KB).

  12. Outline of the talk 4/34 1 Some Isogeny-Based Crypto 2 Class group computation 3 CSI-FiSh

  13. Outline 5/34 1 Some Isogeny-Based Crypto 2 Class group computation 3 CSI-FiSh

  14. Elliptic curves and isogenies 6/34 Definition (Elliptic curve) Elliptic curves are curves defined by an equation of the form y 2 = x 3 + ax + b . Definition (Isogeny) → An isogeny of elliptic curves E, E ′ is a non-zero algebraic group morphism from E to E ′ .

  15. Endomorphisms 7/34 Definition (Endomorphism) An isogeny from a curve E to itself is called an endomorphism Examples: multiplication by n : P �→ P + P + · · · + P (n times). In characteristic p : Frobenius π : ( x, y ) �→ ( x p , y p ) . Endomorphisms form a ring End ( E ) : pointwise addition: ( φ 1 + φ 2 )( P ) = φ 1 ( P ) + φ 2 ( P ) multiplication by composition : φ 1 · φ 2 = φ 1 ◦ φ 2 Endomorphisms defined over F p form a Commutative subring! If End p ( E ) = End ( E ) , then E is ordinary, otherwise E is supersingular.

  16. Separable isogenies ↔ finite subgroups 8/34 Fact 1: An isogeny E → E ′ has a finite kernel. And conversely: Fact 2: For every finite subgroup H ⊂ E , there exists an isogeny φ : E → E ′ with kernel H . And this E ′ is unique (up to isomorphism).

  17. Separable isogenies ↔ finite subgroups 8/34 Fact 1: An isogeny E → E ′ has a finite kernel. And conversely: Fact 2: For every finite subgroup H ⊂ E , there exists an isogeny φ : E → E ′ with kernel H . And this E ′ is unique (up to isomorphism). Moreover, if H and E are defined over F p , then φ and E ′ are defined over F p Notation Given, H ⊂ E , we write E ′ = E/H .

  18. Class group action 9/34 Let E/ F p be a curve with End F p ( E ) = O and let the ideal class group of O ( denoted by cl ( O ) ) be the group of invertible fractional ideals modulo principal ideals. Then cl ( O ) acts on the set of elliptic curves defined over F p with F p -endomorphism ring O : �� � [ I ] ⋆ E = E/ ker α α ∈ I Well defined because: isogenous curves have same endomorphism ring principal ideals act trivially: [ � α � ] ⋆ E = E/ (ker α ) = E

  19. Class group action for CSIDH-512 10/34 [Castryck, Lange, Martindale, Panny, Renes] Choose p = 4 · 3 · 5 · . . . · 376 · 587 − 1 (which is prime), then E 0 : y 2 = x 3 + x is a supersingular elliptic curve with End F p ( E ) = Z [ π ] ≈ Z [ √− p ] . Let X = { E | E is supersingular and End F q ( E ) = Z [ π ] } . Then cl ( Z [ π ]) acts freely and transitively on X . One can efficiently compute the action of ideal classes of the form [ ℓ 1 ] = [(3 , π − 1)] , · · · , [ ℓ 74 ] = [(587 , π − 1)] and their inverses. A priori, we only really have a group action from Z 74 on X .

  20. Example 11/34 Images stolen from Wouter Castryck

  21. Example 11/34 Images stolen from Wouter Castryck

  22. Example 11/34 Images stolen from Wouter Castryck

  23. Example 11/34 Images stolen from Wouter Castryck

  24. Example 11/34 Images stolen from Wouter Castryck

  25. Example 11/34 Images stolen from Wouter Castryck

  26. Example 11/34 Images stolen from Wouter Castryck

  27. Example 11/34 Images stolen from Wouter Castryck

  28. Example 11/34 Images stolen from Wouter Castryck

  29. Example 11/34 Images stolen from Wouter Castryck

  30. Example 11/34 Images stolen from Wouter Castryck

  31. Example 11/34 Images stolen from Wouter Castryck

  32. Example 11/34 Images stolen from Wouter Castryck

  33. Example 11/34 Images stolen from Wouter Castryck

  34. Example 11/34 Images stolen from Wouter Castryck

  35. Example 11/34 Images stolen from Wouter Castryck

  36. Example 11/34 Images stolen from Wouter Castryck

  37. Example 11/34 Images stolen from Wouter Castryck

  38. Example 11/34 Images stolen from Wouter Castryck

  39. Vectorization and Paralellization 12/34 Vectorization problem ∼ DLOG given E, E ′ , hard to find [ a ] ∈ cl ( O ) such that [ a ] ⋆ X = Y . E ′ E ? Paralellization problem ∼ CDH given E, [ a ] ⋆ E, [ b ] ⋆ E , hard to compute [ ab ] ⋆ X . [ a ] ⋆ X [ a ] ⋆ [ a ] ⋆ X ? [ b ] ⋆ [ b ] ⋆ [ b ] ⋆ X

  40. CSIDH key exchange 13/34 Trump chooses secret key [ a ] , Zelensky chooses secret key [ b ] . 74 74 � [ ℓ i ] b i � [ ℓ i ] a i [ b ] = [ a ] = i =1 i =1 E a =[ a ] ⋆E 0 − − − − − − − − − − → E b =[ b ] ⋆E 0 ← − − − − − − − − − − ↓ ↓ [ a ] ⋆ E b [ b ] ⋆ E a Eavesdropper learns [ a ] ⋆ E 0 and [ b ] ⋆ E 0 , but not [ ab ] ⋆ E 0

  41. CSIDH and Seasign 14/34 CSIDH Advantages: CSIDH Disadvantages: non-interactive Speed: ∼ 35 ms CCA-security Subexponential quantum attack key size: 64 Bytes

  42. CSIDH and Seasign 14/34 CSIDH Advantages: CSIDH Disadvantages: non-interactive Speed: ∼ 35 ms CCA-security Subexponential quantum attack key size: 64 Bytes Can we do authentication/signatures? Problem is Z 74 ↔ cl ( O ) . We can’t sample uniformly from cl ( O ) . We dont have a unique way to represent elements in cl ( O ) .

  43. CSIDH and Seasign 14/34 CSIDH Advantages: CSIDH Disadvantages: non-interactive Speed: ∼ 35 ms CCA-security Subexponential quantum attack key size: 64 Bytes Can we do authentication/signatures? Problem is Z 74 ↔ cl ( O ) . We can’t sample uniformly from cl ( O ) . We dont have a unique way to represent elements in cl ( O ) . Seasign[DeFeo,Galbraith]+[Decru,Panny,Vercauteren]: Expensive workaround by using a very redundant representation of class group elements: Public key 16 KB, signatures 4 KB, 4 minutes.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

SeaSign: Compact isogeny signatures from class group actions Luca De Feo 1 , Steven D. Galbraith 2

SeaSign: Compact isogeny signatures from class group actions Luca De Feo 1 , Steven D. Galbraith 2

SeaSign: Compact isogeny signatures from class group actions Luca De Feo 1 , Steven D. Galbraith 2 1 Universit Paris Saclay UVSQ, France 2 University of Auckland, New Zeland May 23, 2019, Eurocrypt, Darmstadt Slides online at

740 views • 43 slides
Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils

Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils

Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils Fleischhacker Johannes Krupp Giulio Malavolta Jonas Schneider Dominique Schr oder Mark Simkin March 7, 2016 Sanitizable Signatures

577 views • 46 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-03-03 1 Outline Why assumptions? Efficient one-time signatures Digital Signatures 2020-03-03 2 Recap: Lamport EUF-1-CMA secure

1.14k views • 37 slides
Faster Isogeny-Based Compressed Key Agreement Gustavo H. M. Zanon, Marcos A. Simplicio Jr,

Faster Isogeny-Based Compressed Key Agreement Gustavo H. M. Zanon, Marcos A. Simplicio Jr,

Faster Isogeny-Based Compressed Key Agreement Gustavo H. M. Zanon, Marcos A. Simplicio Jr, Geovandro C. C. F. Pereira , Javad Doliskani, and Paulo S. L. M. Barreto. 1 REVI EW : SI DH AND COMPRESSED KEYS 2 Isogeny-based Crypto n SIDH:

856 views • 81 slides
Why attribute-based signatures? The kind of authentication required in an attribute-based system

Why attribute-based signatures? The kind of authentication required in an attribute-based system

Attribute-Based Signatures Hemanta K. Maji Manoj Prabhakaran Mike Rosulek November 22, 2010 Abstract We introduce Attribute-Based Signatures (ABS) , a versatile primitive that allows a party to sign a message with fine-grained

864 views • 35 slides
Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from

Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from

Motivation Research Question Results Conclusion Notes Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from Standard Signatures Siamak Shahandashti 1 Rei Safavi-Naini 2 1 SCSSE & CCISR, Uni

465 views • 46 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-02-25 1 Outline Recap: security experiments Message space extension One-time signatures One-time signatures from one-way functions Digital

1.07k views • 48 slides
Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe

Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe

Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe Petit ECC 2019 3 December 1 / 50 Motivation Isogeny based cryptography Another Look at Provable Security Neal Koblitz Dept. of

780 views • 61 slides
Getting Fish to Market Class 1 Budget Nunavut Health Pilot program Fish being delivered

Getting Fish to Market Class 1 Budget Nunavut Health Pilot program Fish being delivered

Getting Fish to Market Class 1 Budget Nunavut Health Pilot program Fish being delivered May be expanded Other Markets require CFIA Certification 16 Fisheries Master Plan Building a Modern Community Fishery Living document

172 views • 15 slides
More Efficient (Almost) Tightly Secure Structure-Preserving Signatures Romain Gay 1 Dennis

More Efficient (Almost) Tightly Secure Structure-Preserving Signatures Romain Gay 1 Dennis

More Efficient (Almost) Tightly Secure Structure-Preserving Signatures Romain Gay 1 Dennis Hofheinz 2 Lisa Kohl 2 Jiaxin Pan 2 1 ENS Paris, France 2 Karlsruhe Institute of Technology, Germany R. Gay, D. Hofheinz, L. Kohl, J. Pan More Efficient

827 views • 45 slides
Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China)

Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China)

Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China) KU Leuven ESAT/COSIC (Belgium) frederik.vercauteren@gmail.com 23 August 2016 Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23

839 views • 52 slides
Lattice-based signatures Extra lecture for the Digital Signatures course 2020 Dennis

Lattice-based signatures Extra lecture for the Digital Signatures course 2020 Dennis

Lattice-based signatures Extra lecture for the Digital Signatures course 2020 Dennis Hofheinz ETH Zrich Quantum computers Grovers algorithm: speed up searches (N O(N)) Bigger problem for cryptography: Shors algorithm

468 views • 15 slides
Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties Signatures Signatures with various functionality/properties Constructions come in different flavors (well sample each flavor): Signatures

1.55k views • 131 slides
Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 18, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 18, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 18, 2019 Simula UiB, Bergen Slides online at https://defeo.lu/docet Why isogenies? Six families still in NIST post-quantum competition: Lattices 9

2k views • 172 slides
Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 28, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 28, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 28, 2019 NTNU, Trondheim Slides online at https://defeo.lu/docet Why isogenies? Six families still in NIST post-quantum competition: Lattices 9 encryption

1.95k views • 160 slides
Hash-based signatures Tanja Lange (with some slides by Daniel J. Bernstein) Eindhoven University

Hash-based signatures Tanja Lange (with some slides by Daniel J. Bernstein) Eindhoven University

Hash-based signatures Tanja Lange (with some slides by Daniel J. Bernstein) Eindhoven University of Technology 20 July 2020 Benefits of hash-based signatures Old idea: 1979 Lamport one-time signatures. 1979 Merkle extends to more

659 views • 40 slides
Digital Signatures from Symmetric-Key Primitives Christian Rechberger IAIK, TU Graz and DTU

Digital Signatures from Symmetric-Key Primitives Christian Rechberger IAIK, TU Graz and DTU

Digital Signatures from Symmetric-Key Primitives Christian Rechberger IAIK, TU Graz and DTU Compute, DTU March 7, 2017 Based on Joint Work With David Derler Claudio Orlandi Sebastian Ramacher Daniel Slamanig TU Graz Aarhus University TU

187 views • 14 slides
70: Discrete Math and Probability Theory Programming + Microprocessors Superpower! What are

70: Discrete Math and Probability Theory Programming + Microprocessors Superpower! What are

70: Discrete Math and Probability Theory Programming + Microprocessors Superpower! What are your super powerful programs/processors doing? Logic and Proofs! Induction Recursion. What can computers do? Work with discrete objects. Discrete

449 views • 23 slides
General Outline What are fisheries? 1. Introduction Definition: an entity representing the

General Outline What are fisheries? 1. Introduction Definition: an entity representing the

General Outline What are fisheries? 1. Introduction Definition: an entity representing the harvest animals from aquatic environments 2. Fisheries Science Exploitation 3. Effects of Fishing Economics 4. Fisheries Biology

187 views • 7 slides
ANLP Lecture 15 Dependency Syntax and Parsing Shay Cohen (based on slides by Sharon Goldwater

ANLP Lecture 15 Dependency Syntax and Parsing Shay Cohen (based on slides by Sharon Goldwater

ANLP Lecture 15 Dependency Syntax and Parsing Shay Cohen (based on slides by Sharon Goldwater and Nathan Schneider) 18 October, 2019 Last class Probabilistic context-free grammars Probabilistic CYK Best-first parsing Problems

1.03k views • 51 slides
NFWF National Fish and Wildlife Foundation Presentation by Gulf Restoration Network Payout

NFWF National Fish and Wildlife Foundation Presentation by Gulf Restoration Network Payout

NFWF National Fish and Wildlife Foundation Presentation by Gulf Restoration Network Payout Schedule Settlement Monies from BP and Transocean Total funds equal $2.544 Billion from BP and Transocean Plea Agreements BP ($2.394 billion) and

893 views • 7 slides
GEARNET: Summary and successes of a new approach to conservation engineering Michael Pol

GEARNET: Summary and successes of a new approach to conservation engineering Michael Pol

GEARNET: Summary and successes of a new approach to conservation engineering Michael Pol Massachusetts Division of Marine Fisheries Steve Eayrs Gulf of Maine Research Institute Pingguo He School for Marine Science and Technology,

436 views • 17 slides
Revisiting Leakage Abuse Attacks Laura Blackstone Seny Kamara Tarik Moataz AROKI SYSTEMS

Revisiting Leakage Abuse Attacks Laura Blackstone Seny Kamara Tarik Moataz AROKI SYSTEMS

Revisiting Leakage Abuse Attacks Laura Blackstone Seny Kamara Tarik Moataz AROKI SYSTEMS Encrypted Search Trusted client Untrusted server Cat Fish Cat Dog Dog 2 Encrypted Search Cat Fish Encrypted Trusted client Cat Untrusted

983 views • 60 slides
Linear Regression Part 1: Fitting Lines INFO-1301, Quantitative Reasoning 1 University of

Linear Regression Part 1: Fitting Lines INFO-1301, Quantitative Reasoning 1 University of

Linear Regression Part 1: Fitting Lines INFO-1301, Quantitative Reasoning 1 University of Colorado Boulder April 19, 2017 Prof. Michael Paul Interpreting Linear Functions Fishermen in the Finger Lakes Region have been recording the dead fish

126 views • 10 slides

More recommend