Efficient compression of SIDH public keys Craig Costello 1 David Jao - - PowerPoint PPT Presentation

Efficient compression of SIDH public keys

Craig Costello1 David Jao2 Patrick Longa1 Michael Naehrig1 Joost Renes3 David Urbanik2

1Microsoft Research, Redmond, USA 2University of Waterloo, Ontario, Canada 3Radboud University, Nijmegen, The Netherlands

1 May 2017

1 May 2017 1 / 14

Supersingular-isogeny Diffie-Hellman

◮ Post-quantum secure (ephemeral) key exchange [JF11] ◮ Based on hardness of finding large-degree isogenies ◮ Small keys (≈ 564 bytes public) ◮ Relatively slow compared to other PQ proposals ◮ Key compression (≈ 385 bytes), at very high cost [Aza+16]

1 May 2017 2 / 14

Supersingular-isogeny Diffie-Hellman

◮ Post-quantum secure (ephemeral) key exchange [JF11] ◮ Based on hardness of finding large-degree isogenies ◮ Small keys (≈ 564 bytes public) ◮ Relatively slow compared to other PQ proposals ◮ Key compression (≈ 385 bytes), at very high cost [Aza+16]

This talk

◮ Key size reduced by 12.5% (≈ 330 bytes) ◮ Compression up to 66× faster ◮ Decompression up to 15× faster

1 May 2017 2 / 14

Isogeny graphs

p = 23 · 32 − 1, E/Fp2 : y2 = x3 + x, j(E) = 24, ℓ = 2 17 41 40 24 48 66

1 May 2017 3 / 14

Isogeny graphs

p = 23 · 32 − 1, E/Fp2 : y2 = x3 + x, j(E) = 24, ℓ = 2 17 41 40 24 48 66

2 2 2 3 1 May 2017 3 / 14

Isogeny graphs

p = 23 · 32 − 1, E/Fp2 : y2 = x3 + x, j(E) = 24, ℓ = 2 17 41 40 24 48 66

1 May 2017 3 / 14

Isogeny graphs

p = 23 · 32 − 1, E/Fp2 : y2 = x3 + x, j(E) = 24, ℓ = 3 17 41 40 24 48 66

2 2 2 2 2 2 3 2 1 May 2017 3 / 14

Key generation

= private party A, = private party B, = public keys 17 41 40 24 48 66

2 2 2 3 1 May 2017 4 / 14

Key generation

= private party A, = private party B, = public keys 17 41 40 24 48 66

2 2 2 2 2 2 3 2 1 May 2017 4 / 14

Supersingular-isogeny Diffie-Hellman [JF11]

= private party A, = private party B, = public key ր ր ր = 2-graph walk, ց ց ց = 3-graph walk, E EA EB φA φB

1 May 2017 5 / 14

Supersingular-isogeny Diffie-Hellman [JF11]

= private party A, = private party B, = public key ր ր ր = 2-graph walk, ց ց ց = 3-graph walk, E EA EB EAB EA[ℓe] = P, Q φA φB

1 May 2017 5 / 14

Supersingular-isogeny Diffie-Hellman [JF11]

= private party A, = private party B, = public key ր ր ր = 2-graph walk, ց ց ց = 3-graph walk, E EA EB EAB EA[ℓe] = P, Q ∈ Fp2 (= 2 log p bits) ∈ F2

p2 (= 4 log p bits)

φA φB

1 May 2017 5 / 14

Supersingular-isogeny Diffie-Hellman [JF11]

= private party A, = private party B, = public key ր ր ր = 2-graph walk, ց ց ց = 3-graph walk, E EA EB EAB EA[ℓe] = P, Q ∈ Fp2 (= 2 log p bits) ∈ F2

p2 (= 4 log p bits)

EA[ℓe] = R, S φA φB

1 May 2017 5 / 14

Supersingular-isogeny Diffie-Hellman [JF11]

= private party A, = private party B, = public key ր ր ր = 2-graph walk, ց ց ց = 3-graph walk, E EA EB EAB ∈ Fp2 (= 2 log p bits) EA[ℓe] = R, S (α, β, γ, δ) ∈ Z4

ℓe (≈ 2 log p bits)

φA φB

1 May 2017 5 / 14

Public-key compression [Aza+16]

Compression P, Q R, S αR + βS, γR + δS (α, β, γ, δ) Decompression (α, β, γ, δ) R, S (α, β, γ, δ) P, Q

1 May 2017 6 / 14

Public-key compression [Aza+16]

Compression P, Q R, S αR + βS, γR + δS (α, β, γ, δ) Decompression (α, β, γ, δ) R, S (α, β, γ, δ) P, Q

Expensive

1 May 2017 6 / 14

Public-key compression [Aza+16]

Compression P, Q R, S αR + βS, γR + δS (α, β, γ, δ) Decompression (α, β, γ, δ) R, S (α, β, γ, δ) P, Q Significantly improve efficiency (up to 66×) Significantly improve efficiency (up to 15×)

1 May 2017 6 / 14

Finding a canonical basis

Find R, S such that E[2372] = R, S, where #E(Fp2) =

• 237232392 .

1 May 2017 7 / 14

Finding a canonical basis

Find R, S such that E[2372] = R, S, where #E(Fp2) =

• 237232392 .

Finding an element of order 2372

1 Deterministically pick R ∈ E(Fp2) \ 2E(Fp2)

1 May 2017 7 / 14

Finding a canonical basis

Find R, S such that E[2372] = R, S, where #E(Fp2) =

• 237232392 .

Finding an element of order 2372

1 Deterministically pick R ∈ E(Fp2) \ 2E(Fp2)

For E : y2 = x(x − γ)(x − δ), R ∈ 2E(Fp2) ⇐ ⇒ xR, xR − δ, xR − γ are squares

1 May 2017 7 / 14

Finding a canonical basis

Find R, S such that E[2372] = R, S, where #E(Fp2) =

• 237232392 .

Finding an element of order 2372

1 Deterministically pick a non-square xR ∈ Fp2

For E : y2 = x(x − γ)(x − δ), R ∈ 2E(Fp2) ⇐ ⇒ xR, xR − δ, xR − γ are squares

1 May 2017 7 / 14

Finding a canonical basis

Find R, S such that E[2372] = R, S, where #E(Fp2) =

• 237232392 .

Finding an element of order 2372

1 Deterministically pick a non-square xR ∈ Fp2 2 If x3 R + Ax2 R + xR is not a square, goto 1

1 May 2017 7 / 14

Finding a canonical basis

Find R, S such that E[2372] = R, S, where #E(Fp2) =

• 237232392 .

Finding an element of order 2372

1 Deterministically pick a non-square xR ∈ Fp2 2 If x3 R + Ax2 R + xR is not a square, goto 1 3 Set R ← (xR,

• x3

R + Ax2 R + xR)

1 May 2017 7 / 14

Finding a canonical basis

Find R, S such that E[2372] = R, S, where #E(Fp2) =

• 237232392 .

Finding an element of order 2372

1 Deterministically pick a non-square xR ∈ Fp2 2 If x3 R + Ax2 R + xR is not a square, goto 1 3 Set R ← (xR,

• x3

R + Ax2 R + xR) 4 Set R ← [3239]R

1 May 2017 7 / 14

Finding a canonical basis

Find R, S such that E[2372] = R, S, where #E(Fp2) =

• 237232392 .

Finding an element of order 2372

1 Deterministically pick a non-square xR ∈ Fp2 2 If x3 R + Ax2 R + xR is not a square, goto 1 3 Set R ← (xR,

• x3

R + Ax2 R + xR) 4 Set R ← [3239]R

Finding a canonical basis of E[2372]

1 Pick R ∈ E(Fp2) of order 2372 2 Pick S ∈ E(Fp2) of order 2372 3 If E[2372] = R, S, goto 2.

1 May 2017 7 / 14

Transferring to µn via reduced Tate pairing

Transfer the discrete logs to µn e = e(R, S) eβ = e(R, P) eδ = e(R, Q) e−α = e(S, P) e−γ = e(S, Q) such that P = αR + βS and Q = γR + δS

1 May 2017 8 / 14

Transferring to µn via reduced Tate pairing

Transfer the discrete logs to µn e = e(R, S) eβ = e(R, P) eδ = e(R, Q) e−α = e(S, P) e−γ = e(S, Q) such that P = αR + βS and Q = γR + δS e(R, S) e(R, P) e(R, Q) e(S, P) e(S, Q) f0 ← fn,R f0 ← f0(S) . . .

1 May 2017 8 / 14

Transferring to µn via reduced Tate pairing

Transfer the discrete logs to µn e = e(R, S) eβ = e(R, P) eδ = e(R, Q) e−α = e(S, P) e−γ = e(S, Q) such that P = αR + βS and Q = γR + δS e(R, S) e(R, P) e(R, Q) e(S, P) e(S, Q) f0 ← fn,R f1← fn,R f0 ← f0(S) f1 ← f1(P) . . . . . .

1 May 2017 8 / 14

Transferring to µn via reduced Tate pairing

Transfer the discrete logs to µn e = e(R, S) eβ = e(R, P) eδ = e(R, Q) e−α = e(S, P) e−γ = e(S, Q) such that P = αR + βS and Q = γR + δS e(R, S) e(R, P) e(R, Q) e(S, P) e(S, Q) f0 ← fn,R f0 ← f0(S) f1 ← f0(P) . . . . . .

1 May 2017 8 / 14

Transferring to µn via reduced Tate pairing

Transfer the discrete logs to µn e = e(R, S) eβ = e(R, P) eδ = e(R, Q) e−α = e(S, P) e−γ = e(S, Q) such that P = αR + βS and Q = γR + δS e(R, S) e(R, P) e(R, Q) e(S, P) e(S, Q) f0 ← fn,R f2← fn,R f0 ← f0(S) f1 ← f0(P) f2 ← f2(Q) . . . . . . . . .

1 May 2017 8 / 14

Transferring to µn via reduced Tate pairing

Transfer the discrete logs to µn e = e(R, S) eβ = e(R, P) eδ = e(R, Q) e−α = e(S, P) e−γ = e(S, Q) such that P = αR + βS and Q = γR + δS e(R, S) e(R, P) e(R, Q) e(S, P) e(S, Q) f0 ← fn,R f0 ← f0(S) f1 ← f0(P) f2 ← f0(Q) . . . . . . . . .

1 May 2017 8 / 14

Transferring to µn via reduced Tate pairing

Transfer the discrete logs to µn e = e(R, S) eβ = e(R, P) eδ = e(R, Q) e−α = e(S, P) e−γ = e(S, Q) such that P = αR + βS and Q = γR + δS e(R, S) e(R, P) e(R, Q) e(S, P) e(S, Q) f0 ← fn,R f3 ← fn,S f0 ← f0(S) f1 ← f0(P) f2 ← f0(Q) f3 ← f3(P) . . . . . . . . . . . .

1 May 2017 8 / 14

Transferring to µn via reduced Tate pairing

Transfer the discrete logs to µn e = e(R, S) eβ = e(R, P) eδ = e(R, Q) e−α = e(S, P) e−γ = e(S, Q) such that P = αR + βS and Q = γR + δS e(R, S) e(R, P) e(R, Q) e(S, P) e(S, Q) f0 ← fn,R f3 ← fn,S f4← fn,S f0 ← f0(S) f1 ← f0(P) f2 ← f0(Q) f3 ← f3(P) f4 ← f4(Q) . . . . . . . . . . . . . . .

1 May 2017 8 / 14

Transferring to µn via reduced Tate pairing

Transfer the discrete logs to µn e = e(R, S) eβ = e(R, P) eδ = e(R, Q) e−α = e(S, P) e−γ = e(S, Q) such that P = αR + βS and Q = γR + δS e(R, S) e(R, P) e(R, Q) e(S, P) e(S, Q) f0 ← fn,R f3 ← fn,S f0 ← f0(S) f1 ← f0(P) f2 ← f0(Q) f3 ← f3(P) f4 ← f3(Q) . . . . . . . . . . . . . . .

1 May 2017 8 / 14

Transferring to µn via reduced Tate pairing

Transfer the discrete logs to µn e = e(R, S) eβ = e(R, P) eδ = e(R, Q) e−α = e(S, P) e−γ = e(S, Q) such that P = αR + βS and Q = γR + δS e(R, S) e(R, P) e(R, Q) e(S, P) e(S, Q) f0 ← fn,R f3 ← fn,S f0 ← f0(S) f1 ← f0(P) f2 ← f0(Q) f3 ← f3(P) f4 ← f3(Q) . . . . . . . . . . . . . . . Optimized formulas for fn,R and fn,S!

1 May 2017 8 / 14

Efficient discrete logarithms (Pohlig-Hellman)

For e0, e1, e2, e3, e4 ∈ µℓe, compute α, β, γ, δ such that e1 = e−α , e2 = eβ

0 ,

e3 = e−γ

0 ,

e4 = eδ As µℓe ⊂ Gp+1 ⊂ Fp2, I ≈ M, S ≈ 2s, C ≈ 2m + 1s

1 May 2017 9 / 14

Efficient discrete logarithms (Pohlig-Hellman)

For e0, e1, e2, e3, e4 ∈ µℓe, compute α, β, γ, δ such that e1 = e−α , e2 = eβ

0 ,

e3 = e−γ

0 ,

e4 = eδ As µℓe ⊂ Gp+1 ⊂ Fp2, I ≈ M, S ≈ 2s, C ≈ 2m + 1s DLℓe #G1 = ℓe DLℓ DLℓ · · · DLℓ #G1 = ℓ

1 May 2017 9 / 14

Nested Pohlig-Hellman

PH1 #G1 = ℓe1 #G2 = ℓe2 PH2 PH2 · · · PH2 #G3 = ℓe3 PH3 PH3 · · · PH3 #Gn = ℓen . . . . . . PHn PHn · · · PHn #Gn+1 = ℓ DLℓ DLℓ · · · DLℓ

1 May 2017 10 / 14

Comparison

# windows Fp2 table size n w1 w2 w3 w4 M S Fp2 – – – – 372 69 378 375 1 19 – – – 375 7 445 43 2 51 7 – – 643 4 437 25 3 84 21 5 – 716 3 826 25 4 114 35 11 3 1 065 3 917 27 Options for different time-memory trade-offs [Sut11]

1 May 2017 11 / 14

Signature size reduction

◮ The quadruple (α, β, γ, δ) ∈ Z4 ℓe determines

P = αR + βS, Q = γR + δS. These determine P + λQ, for some λ ∈ Z∗

ℓe ◮ Thus we only need P, Q up to scalar, and compress to

[α : β : γ : δ] . As P, Q form a basis of E[ℓe], either α or β is invertible

◮ Normalizing, we represent it in Z3 ℓe × Z2

1 May 2017 12 / 14

Benchmarks (for ℓ = 2)

This work [Aza+16] Speed-up Key size (bytes) 328 385 – SIDH (cc × 106) 80 – – Compression (cc × 106) 109 6 081 56× Decompression (cc × 106) 42 539 13× Full no comp. (cc × 106) 192 535 2.8× Full comp. (cc × 106) 469 15 395 31× Software available at https://github.com/Microsoft/PQCrypto-SIDH

1 May 2017 13 / 14

Thanks! Questions

1 May 2017 14 / 14

References I

[Aza+16] Reza Azarderakhsh, David Jao, Kassem Kalach, Brian Koziel and Christopher Leonardi. “Key Compression for Isogeny-Based Cryptosystems”. In: Proceedings of the 3rd ACM International Workshop on ASIA Public-Key Cryptography, AsiaPKC@AsiaCCS, Xi’an, China, May 30 - June 03, 2016. Ed. by Keita Emura, Goichiro Hanaoka and Rui Zhang. ACM, 2016, pp. 1–10. doi: 10.1145/2898420.2898421. url: http://doi.acm.org/10.1145/2898420.2898421. [JF11] David Jao and Luca De Feo. “Towards Quantum-Resistant Cryptosystems from Supersingular Elliptic Curve Isogenies”. In: Post-Quantum Cryptography - 4th International Workshop, PQCrypto 2011, Taipei, Taiwan, November 29 - December 2,

• 2011. Proceedings. 2011, pp. 19–34. doi:

10.1007/978-3-642-25405-5_2. url: http://dx.doi.org/10.1007/978-3-642-25405-5_2.

1 May 2017 15 / 14

References II

[Sut11] Andrew V. Sutherland. “Structure computation and discrete logarithms in finite abelian p-groups”. In: Math. Comput. 80.273 (2011), pp. 477–500. doi: 10.1090/S0025-5718-10-02356-2. url: http://dx.doi.org/10.1090/S0025-5718-10-02356-2.

1 May 2017 16 / 14