CSI-FiSh: Efficient Isogeny based Signatures through Class Group - - PowerPoint PPT Presentation

CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations

Ward Beullens Thorsten Kleinjung Frederik Vercauteren imec - COSIC December 3, 2019

Introduction : CSIDH [Castryck et al.]

1/34 Take the supersingular elliptic curve E0 : y2 = x3 + x mod p = 4 · 3 · 5 · . . . · 373 · 587 − 1. Let O = Endp(E0) ≃ Z(√−p).

Introduction : CSIDH [Castryck et al.]

1/34 Take the supersingular elliptic curve E0 : y2 = x3 + x mod p = 4 · 3 · 5 · . . . · 373 · 587 − 1. Let O = Endp(E0) ≃ Z(√−p). The class group cl(O) acts freely and transitively on a set of supersingular elliptic curves X = Eℓℓp(O, π).

Introduction : CSIDH [Castryck et al.]

1/34 Take the supersingular elliptic curve E0 : y2 = x3 + x mod p = 4 · 3 · 5 · . . . · 373 · 587 − 1. Let O = Endp(E0) ≃ Z(√−p). The class group cl(O) acts freely and transitively on a set of supersingular elliptic curves X = Eℓℓp(O, π). 74 “simple” ideals whose action can be computed efficiently: l1 = (3, π − 1), · · · , l74 = (587, π − 1)

Introduction : CSIDH [Castryck et al.]

1/34 Take the supersingular elliptic curve E0 : y2 = x3 + x mod p = 4 · 3 · 5 · . . . · 373 · 587 − 1. Let O = Endp(E0) ≃ Z(√−p). The class group cl(O) acts freely and transitively on a set of supersingular elliptic curves X = Eℓℓp(O, π). 74 “simple” ideals whose action can be computed efficiently: l1 = (3, π − 1), · · · , l74 = (587, π − 1) CSIDH-512: Efficient Post-Quantum Diffie-Hellman protocol based

• n this action. Reasonably fast (± 80 ms) and very small keys.

Introduction : CSIDH [Castryck et al.]

1/34 Take the supersingular elliptic curve E0 : y2 = x3 + x mod p = 4 · 3 · 5 · . . . · 373 · 587 − 1. Let O = Endp(E0) ≃ Z(√−p). The class group cl(O) acts freely and transitively on a set of supersingular elliptic curves X = Eℓℓp(O, π). 74 “simple” ideals whose action can be computed efficiently: l1 = (3, π − 1), · · · , l74 = (587, π − 1) CSIDH-512: Efficient Post-Quantum Diffie-Hellman protocol based

• n this action. Reasonably fast (± 80 ms) and very small keys.

Can we do signatures ?

Introduction : Seasign [De Feo, Galbraith]

2/34 [Rostovstev]: FS signatures from Graph Isomorphism-like identification scheme.

Introduction : Seasign [De Feo, Galbraith]

2/34 [Rostovstev]: FS signatures from Graph Isomorphism-like identification scheme. problem: We cannot uniquely represent elements g = 74

i=1 lei i .

⇒ Signatures leak secret key.

Introduction : Seasign [De Feo, Galbraith]

2/34 [Rostovstev]: FS signatures from Graph Isomorphism-like identification scheme. problem: We cannot uniquely represent elements g = 74

i=1 lei i .

⇒ Signatures leak secret key. solution: [SeaSign] Rejection sampling to prevent leakage. ⇒ Slow signing and large signatures (e.g. 17 min and 12 KB).

Introduction : Seasign [De Feo, Galbraith]

2/34 [Rostovstev]: FS signatures from Graph Isomorphism-like identification scheme. problem: We cannot uniquely represent elements g = 74

i=1 lei i .

⇒ Signatures leak secret key. solution: [SeaSign] Rejection sampling to prevent leakage. ⇒ Slow signing and large signatures (e.g. 17 min and 12 KB).

Can we do better ?

Introduction: CSI-FiSh

3/34 We compute the structure of cl(O): It is cyclic of order N =3 · 37 · 1407181 · 51593604295295867744293584889 · 31599414504681995853008278745587832204909 and generated by g = l1 = (3, π − 1). We can uniquely represent elements of cl(O) as ga with a ∈ Z/NZ. CSI-FiSh: Isogeny signatures without rejection sampling ⇒ Much more efficient (e.g. 335 ms min and 2 KB).

Outline of the talk

4/34

1 Some Isogeny-Based Crypto 2 Class group computation 3 CSI-FiSh

Outline

5/34

1 Some Isogeny-Based Crypto 2 Class group computation 3 CSI-FiSh

Elliptic curves and isogenies

6/34

Definition (Elliptic curve)

Elliptic curves are curves defined by an equation of the form y2 = x3 + ax + b .

Definition (Isogeny)

An isogeny of elliptic curves E, E′ is a non-zero algebraic group morphism from E to E′. →

Endomorphisms

7/34

Definition (Endomorphism)

An isogeny from a curve E to itself is called an endomorphism Examples: multiplication by n : P → P + P + · · · + P (n times). In characteristic p: Frobenius π : (x, y) → (xp, yp). Endomorphisms form a ring End(E): pointwise addition: (φ1 + φ2)(P) = φ1(P) + φ2(P) multiplication by composition : φ1 · φ2 = φ1 ◦ φ2 Endomorphisms defined over Fp form a Commutative subring! If Endp(E) = End(E), then E is ordinary, otherwise E is supersingular.

Separable isogenies ↔ finite subgroups

8/34 Fact 1: An isogeny E → E′ has a finite kernel. And conversely: Fact 2: For every finite subgroup H ⊂ E, there exists an isogeny φ : E → E′ with kernel H. And this E′ is unique (up to isomorphism).

Separable isogenies ↔ finite subgroups

8/34 Fact 1: An isogeny E → E′ has a finite kernel. And conversely: Fact 2: For every finite subgroup H ⊂ E, there exists an isogeny φ : E → E′ with kernel H. And this E′ is unique (up to isomorphism). Moreover, if H and E are defined over Fp, then φ and E′ are defined over Fp

Notation

Given, H ⊂ E, we write E′ = E/H.

Class group action

9/34 Let E/Fp be a curve with EndFp(E) = O and let the ideal class group of O ( denoted by cl(O) ) be the group of invertible fractional ideals modulo principal ideals. Then cl(O) acts on the set of elliptic curves defined over Fp with Fp-endomorphism ring O: [I] ⋆ E = E/

• α∈I

ker α

• Well defined because:

isogenous curves have same endomorphism ring principal ideals act trivially: [α] ⋆ E = E/ (ker α) = E

Class group action for CSIDH-512

10/34

[Castryck, Lange, Martindale, Panny, Renes]

Choose p = 4 · 3 · 5 · . . . · 376 · 587 − 1 (which is prime), then E0 : y2 = x3 + x is a supersingular elliptic curve with EndFp(E) = Z[π] ≈ Z[√−p]. Let X = {E | E is supersingular and EndFq(E) = Z[π]}. Then cl(Z[π]) acts freely and transitively on X. One can efficiently compute the action of ideal classes of the form [ℓ1] = [(3, π − 1)], · · · , [ℓ74] = [(587, π − 1)] and their inverses. A priori, we only really have a group action from Z74 on X.

Example

11/34

Images stolen from Wouter Castryck

Example

11/34

Images stolen from Wouter Castryck

Example

11/34

Images stolen from Wouter Castryck

Example

11/34

Images stolen from Wouter Castryck

Example

11/34

Images stolen from Wouter Castryck

Example

11/34

Images stolen from Wouter Castryck

Example

11/34

Images stolen from Wouter Castryck

Example

11/34

Images stolen from Wouter Castryck

Example

11/34

Images stolen from Wouter Castryck

Example

11/34

Images stolen from Wouter Castryck

Example

11/34

Images stolen from Wouter Castryck

Example

11/34

Images stolen from Wouter Castryck

Example

11/34

Images stolen from Wouter Castryck

Example

11/34

Images stolen from Wouter Castryck

Example

11/34

Images stolen from Wouter Castryck

Example

11/34

Images stolen from Wouter Castryck

Example

11/34

Images stolen from Wouter Castryck

Example

11/34

Images stolen from Wouter Castryck

Example

11/34

Images stolen from Wouter Castryck

Vectorization and Paralellization

12/34

Vectorization problem ∼ DLOG

given E, E′, hard to find [a] ∈ cl(O) such that [a] ⋆ X = Y . E E′ ?

Paralellization problem ∼ CDH

given E, [a] ⋆ E, [b] ⋆ E, hard to compute [ab] ⋆ X. X [a] ⋆ X [b] ⋆ X ? [a]⋆ [b]⋆ [a]⋆ [b]⋆

CSIDH key exchange

13/34 Trump chooses secret key [a], Zelensky chooses secret key [b]. [a] =

74

• i=1

[ℓi]ai ↓ [a] ⋆ Eb

Ea=[a]⋆E0

− − − − − − − − − − →

Eb=[b]⋆E0

← − − − − − − − − − − [b] =

74

• i=1

[ℓi]bi ↓ [b] ⋆ Ea Eavesdropper learns [a] ⋆ E0 and [b] ⋆ E0, but not [ab] ⋆ E0

CSIDH and Seasign

14/34 CSIDH Advantages: non-interactive CCA-security key size: 64 Bytes CSIDH Disadvantages: Speed: ∼ 35 ms Subexponential quantum attack

CSIDH and Seasign

14/34 CSIDH Advantages: non-interactive CCA-security key size: 64 Bytes CSIDH Disadvantages: Speed: ∼ 35 ms Subexponential quantum attack Can we do authentication/signatures? Problem is Z74 ↔ cl(O). We can’t sample uniformly from cl(O). We dont have a unique way to represent elements in cl(O).

CSIDH and Seasign

14/34 CSIDH Advantages: non-interactive CCA-security key size: 64 Bytes CSIDH Disadvantages: Speed: ∼ 35 ms Subexponential quantum attack Can we do authentication/signatures? Problem is Z74 ↔ cl(O). We can’t sample uniformly from cl(O). We dont have a unique way to represent elements in cl(O). Seasign[DeFeo,Galbraith]+[Decru,Panny,Vercauteren]: Expensive workaround by using a very redundant representation of class group elements: Public key 16 KB, signatures 4 KB, 4 minutes.

Outline

15/34

1 Some Isogeny-Based Crypto 2 Class group computation 3 CSI-FiSh

Motivation

16/34 Problem: We don’t know the class group, only a set of generators [ℓ1], · · · , [ℓ74]. We can’t sample uniformly from cl(O). We don’t have a unique way to represent elements in cl(O). Solution: Just compute structure of cl(O): cl(O) = Z/N1Z × · · · × Z/NlZ . Now sampling and unique representation of elements is trivial.

Computing class group (simplified)

17/34 Recall p = 4 · 3 · . . . · 587 − 1 and O = Z[π] = Z[√−p]. We compute cl(O) as follows:

1) Let F = {p1, · · · pn} be the set of prime ideals of norm

≤ 7000000. Assuming GRH these generate cl(O), so cl(O) ≃ Zn/Λ, where Λ = {e | n

i=1 pei i is principal }

Computing class group (simplified)

17/34 Recall p = 4 · 3 · . . . · 587 − 1 and O = Z[π] = Z[√−p]. We compute cl(O) as follows:

1) Let F = {p1, · · · pn} be the set of prime ideals of norm

≤ 7000000. Assuming GRH these generate cl(O), so cl(O) ≃ Zn/Λ, where Λ = {e | n

i=1 pei i is principal }

2) Collect relations between the [pi], by trying many (a + √−p)

and hoping that they factor over F

Computing class group (simplified)

17/34 Recall p = 4 · 3 · . . . · 587 − 1 and O = Z[π] = Z[√−p]. We compute cl(O) as follows:

1) Let F = {p1, · · · pn} be the set of prime ideals of norm

≤ 7000000. Assuming GRH these generate cl(O), so cl(O) ≃ Zn/Λ, where Λ = {e | n

i=1 pei i is principal }

2) Collect relations between the [pi], by trying many (a + √−p)

and hoping that they factor over F E.g. N(1 + √−p) = 1 + p = 4 · 3 · 5 · . . . · 376 · 587, so 2 · 3, π + 1 · . . . · 587, π + 1 is a principal ideal. ⇒ We get a relation between prime ideals in F.

Computing class group (simplified)

17/34 Recall p = 4 · 3 · . . . · 587 − 1 and O = Z[π] = Z[√−p]. We compute cl(O) as follows:

1) Let F = {p1, · · · pn} be the set of prime ideals of norm

≤ 7000000. Assuming GRH these generate cl(O), so cl(O) ≃ Zn/Λ, where Λ = {e | n

i=1 pei i is principal }

2) Collect relations between the [pi], by trying many (a + √−p)

and hoping that they factor over F E.g. N(1 + √−p) = 1 + p = 4 · 3 · 5 · . . . · 376 · 587, so 2 · 3, π + 1 · . . . · 587, π + 1 is a principal ideal. ⇒ We get a relation between prime ideals in F. One down 6999999 to go!

Computing class group (simplified)

18/34

3) We make a square matrix R of relations over the factor base.

Now det(R) divides V ol(Λ) = #cl(O). We compute det(R) to get a multiple of the class number. Repeat for R′, and compute h′ = gcd(det(R), det(R′))

4) Factor h′ and check if each of the factors is a factor of the

class number.

5) (In our case) Observe that class number is square-free, so class

group is cyclic.

Class group computation (some details)

19/34 Bottlenecks: Sieving (43 core years) Determinant computation (2 × 4.3 core years) Sieving: Large prime variation If we manage to factor (a + √−p), but some of the factors have norm > 7000000, we add these factors to F. We gathered 320 million relations over an extended factor base of 32.7 million ideals.

Class group computation (some details)

20/34 Matrix preproccessing: Apply elementary row operations and delete rows and columns to reduce the size of the matrix, while keeping it sparse. We filter to 320 million relations over an extended factor base of 32.7 million ideals to 222 thousand relations and ideals. Determinant computation:

1

block-Wiedemann algorithm to compute the determinant modulo a lot of 64 bit primes.

2

use CRT to recover determinant over the integers.

Class group computation

21/34 This is a record class group computation. Previous record was a 130 digit discriminant [Kleinjung]. Our discriminant has 154 decimal digits. The class group cl(Z[√−p]) is cyclic of order N = 3 × 37 × 1407181 × 51593604295295867744293584889 ×31599414504681995853008278745587832204909 , with generator [ℓ1] = (3, √−p − 1).

Class group computation

22/34

Computing class group action

23/34 Given a ∈ Z/NZ, how do we compute the action of [ℓ1]a ?

Computing class group action

23/34 Given a ∈ Z/NZ, how do we compute the action of [ℓ1]a ? We have the relation lattice Λ74 for the 74 prime ideals that we can efficiently act with. To evaluate the action of [ℓa

1], we reduce (a, 0, · · · , 0) modulo Λ74

(Babai’s NP) to get a short vector e ∈ Z74 with e − (a, 0, · · · , 0) ∈ Λ74. Then we compute the action of 74

i=1[ℓi]e i as usual.

Computing class group action

23/34 Given a ∈ Z/NZ, how do we compute the action of [ℓ1]a ? We have the relation lattice Λ74 for the 74 prime ideals that we can efficiently act with. To evaluate the action of [ℓa

1], we reduce (a, 0, · · · , 0) modulo Λ74

(Babai’s NP) to get a short vector e ∈ Z74 with e − (a, 0, · · · , 0) ∈ Λ74. Then we compute the action of 74

i=1[ℓi]e i as usual.

We can now uniquely represent elements of the class group, sample them uniformly (as elements of Z/NZ), and compute their action.

Computing class group action

23/34 Given a ∈ Z/NZ, how do we compute the action of [ℓ1]a ? We have the relation lattice Λ74 for the 74 prime ideals that we can efficiently act with. To evaluate the action of [ℓa

1], we reduce (a, 0, · · · , 0) modulo Λ74

(Babai’s NP) to get a short vector e ∈ Z74 with e − (a, 0, · · · , 0) ∈ Λ74. Then we compute the action of 74

i=1[ℓi]e i as usual.

We can now uniquely represent elements of the class group, sample them uniformly (as elements of Z/NZ), and compute their action. Lattice reduction is 13% of total cost.

Outline

24/34

1 Some Isogeny-Based Crypto 2 Class group computation 3 CSI-FiSh

Isogeny-based authentication

25/34 Trump chooses secret key [a], and tweets [a] ⋆ E0.

bla

− − − − − →

bla

← − − − − −

bla

− − − − − → ↓ Accept/Reject Zelensky learns that she is talking to someone who knows [a], but without learning [a]! Make non-interactive with Fiat-Shamir

Zero Knowledge proofs

26/34

com

− − − − − − →

ch

← − − − − −

rsp

− − − − − →

Zero Knowledge proofs

26/34

com

− − − − − − →

ch

← − − − − −

rsp

− − − − − →

Zero knowledge proofs are magic

Zero Knowledge proofs

26/34

com

− − − − − − →

ch

← − − − − −

rsp

− − − − − → Correctness Zero-Knowledge Soundness (with small error)

Zero knowledge for vectorization

27/34 E0 Epk [s]

Zero knowledge for vectorization

27/34 E0 Epk [s] E [r]

Zero knowledge for vectorization

27/34 E0 Epk [s] E [r]

E

− − − − →

Zero knowledge for vectorization

27/34 E0 Epk [s] E [r] [s][r]−1

E

− − − − →

Zero knowledge for vectorization

27/34 b = 0 b = 1 E0 Epk [s] E [r] [s][r]−1

E

− − − − →

0 or 1

← − − − − − − −

Zero knowledge for vectorization

27/34 b = 0 b = 1 E0 Epk [s] E [r] [s][r]−1

E

− − − − →

0 or 1

← − − − − − − −

[r] or [s][r]−1

− − − − − − − − →

Problem (and solution)

28/34 Problem: Cheating probability 1/2.

Problem (and solution)

28/34 Problem: Cheating probability 1/2. Solution: Repeat 128 times to get cheating probability ≤ 2−128. ⇒ 128 times slower and 128 times bigger signatures.

Problem (and solution)

28/34 Problem: Cheating probability 1/2. Solution: Repeat 128 times to get cheating probability ≤ 2−128. ⇒ 128 times slower and 128 times bigger signatures. Better solution: [Seasign] Use multiple secret keys. ⇒ Trade-off between signature size and public key size.

Improvements

29/34 as used by Seasign [De Feo, Galbraith] E0 E(1)

pk

. . . E(k)

pk

[s1] [sk]

Improvements

29/34 as used by Seasign [De Feo, Galbraith] E0 E(1)

pk

. . . E(k)

pk

[s1] [sk] E [r]

Improvements

29/34 as used by Seasign [De Feo, Galbraith] E0 E(1)

pk

. . . E(k)

pk

[s1] [sk] E [r]

E

− − − − →

Improvements

29/34 as used by Seasign [De Feo, Galbraith] E0 E(1)

pk

. . . E(k)

pk

[s1] [sk] E [r]

E

− − − − →

c ∈ {0,··· ,k}

← − − − − − − −

Improvements

29/34 as used by Seasign [De Feo, Galbraith] E0 E(1)

pk

. . . E(k)

pk

[s1] [sk] E [r] [r][sc]−1

E

− − − − →

c ∈ {0,··· ,k}

← − − − − − − −

Improvements

29/34 as used by Seasign [De Feo, Galbraith] E0 E(1)

pk

. . . E(k)

pk

[s1] [sk] E [r] [r][sc]−1

E

− − − − →

c ∈ {0,··· ,k}

← − − − − − − −

[r][sc]−1

− − − − − − − − →

Improvements

29/34 as used by Seasign [De Feo, Galbraith] E0 E(1)

pk

. . . E(k)

pk

[s1] [sk] E [r] [r][sc]−1

E

− − − − →

c ∈ {0,··· ,k}

← − − − − − − −

[r][sc]−1

− − − − − − − − → Cheating probability

1 k+1

Quadratic twists

30/34 An elliptic curve E = E0 has a quadratic twist Et. If −1 is not a square mod p, then E : y2 = x3 + Ax2 + x ↔ Et : y2 = x3 + −Ax2 + x Symmetry around E0 : if E = ga ⋆ E0, then Et = g−a ⋆ E0.

Figure: 3-isogeny CSIDH graph mod 83

Improvements with a twist

31/34 E0 E(1)

pk , E(1)t pk

. . . E(k)

pk , E(k)t pk

±s1 ±sk E r r ± s|c|

E

− − − − →

c ∈ {−k,··· ,k}

← − − − − − − − − − − − −

r±s|c|

− − − − − − − → Cheating probability

1 2k+1

Implementation results

32/34 "Commutative Supersingular Isogeny based Fiat-Shamir" (CSI-FiSh)

Implementation results

32/34 "Commutative Supersingular Isogeny based Fiat-Shamir" (CSI-FiSh) k |pk| |sig| signing time Previous work: Improved Seasign 23 512 B 11.7KB 17 min [Decru,Panny,Vercauteren]

Implementation results

32/34 "Commutative Supersingular Isogeny based Fiat-Shamir" (CSI-FiSh) k |pk| |sig| signing time Previous work: Improved Seasign 23 512 B 11.7KB 17 min [Decru,Panny,Vercauteren] CSI-FiSh 23 512 B 956 B 1.5 s CSI-FiSh has smaller |pk| + |sig| than all NIST candidates (SL I), but is much slower.

Implementation results

33/34 "Commutative Supersingular Isogeny based Fiat-Shamir" (CSI-FiSh) k |pk| |sig| signing time Previous work: Improved Seasign 23 512 B 11.7KB [Decru,Panny,Vercauteren] CSI-FiSh 23 512 B 956 B CSI-FiSh has smaller |pk| + |sig| than all NIST candidates (SL I), but is much slower.

Conclusion

34/34 Class group action is useful for Key Exchange (CSIDH), but limited because class group is unknown. We compute class group of a quadratic field with 154 digit discriminant (previous record was 130 digits). This allows us to build a signature scheme (CSI-FiSh) from the class group action. Optimizations :

Multiple public keys [De Feo,Galbraith] Add the twists · · ·

We get more or less practical signatures. 1-2 KB signatures, 0.3s - 1.5 s signing time.