Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren - - PowerPoint PPT Presentation

Elliptic Curve Isogeny Based Cryptosystems

Frederik Vercauteren

Open Security Research (China) KU Leuven ESAT/COSIC (Belgium) frederik.vercauteren@gmail.com

23 August 2016

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 1 / 38

1

Elliptic curves and isogenies

2

Ordinary isogeny Diffie-Hellman

3

Supersingular isogeny Diffie-Hellman

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 2 / 38

Post-quantum cryptography

Shor’s algorithm: breaks RSA, DLP , ECDLP in polytime on quantum computer Post-quantum cryptographic systems:

Code-based crypto: McEliece, . . . Lattice based crypto: NTRU, LWE, . . . Hash-based crypto: Merkle hash tree signatures, . . . Multivariate crypto: Hidden Field Equations, . . .

What about isogeny based crypto ?

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 3 / 38

Isogeny based crypto: history

Diffie-Hellman key agreement:

1997: Couveignes: Talk at ENS about ”Hard Homogeneous Spaces” 2006: Rostovtsev, Stolbunov: ordinary isogeny Diffie-Hellman 2010: Weiwei, Debiao: key agreement protocols 2011: de Feo, Jao, Plˆ ut: supersingular isogeny Diffie-Hellman 2016: Costello, Longa, Naehrig: efficient implementation of SIDH

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 4 / 38

Isogeny based crypto: history

Diffie-Hellman key agreement:

1997: Couveignes: Talk at ENS about ”Hard Homogeneous Spaces” 2006: Rostovtsev, Stolbunov: ordinary isogeny Diffie-Hellman 2010: Weiwei, Debiao: key agreement protocols 2011: de Feo, Jao, Plˆ ut: supersingular isogeny Diffie-Hellman 2016: Costello, Longa, Naehrig: efficient implementation of SIDH

Other cryptographic constructions:

2003: Teske: elliptic curve trapdoor system 2004: Rostovtsev, Makhovenko, Shemyakina: ordered digital signature scheme 2009: Charles, Lauter, Goren: hash function based on isogeny graph 2010-2011: Debiao, Jianhua and Jin: random number generator and key agreement 2014: Sun, Tian, Wang: strong designated verifier signature 2014: Jao, Soukharev: undeniable signatures

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 4 / 38

Idea 1: Diffie-Hellman from abelian group action

Let G be a finite abelian group and X a set with a group action ⋆ G × X → X : (g, x) → g ⋆ x Recall (gh) ⋆ x = g ⋆ (h ⋆ x) and e ⋆ x = x Key agreement: Alice Bob a ∈R G b ∈R G α = a ⋆ x β = b ⋆ x α − → β ← − k = a ⋆ β = (ab) ⋆ x k = b ⋆ α = (ba) ⋆ x

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 5 / 38

Idea 1: instantiation

Couveignes (1997), Rostovtsev, Stolbunov (2006) Set X consists of j-invariants of elliptic curves E/Fq with End(E) ≃ OK, ring of integers of quadratic imaginary field Group G is class group cl(OK) Ideal a in OK defines a subgroup E[a] and isogeny ϕa : E → E′ = E/E[a] Action: [a] ⋆ j(E) = j(E′)

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 6 / 38

Elliptic curves

Elliptic curve E over field k with char(k) > 3 can be defined by y2 = x3 + ax + b a, b ∈ k, 4a3 + 27b2 = 0 For any field extension k′/k, E(k′) set of k′-rational points forms an abelian group with O as identity element

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 7 / 38

Elliptic curves

Elliptic curve E over field k with char(k) > 3 can be defined by y2 = x3 + ax + b a, b ∈ k, 4a3 + 27b2 = 0 For any field extension k′/k, E(k′) set of k′-rational points forms an abelian group with O as identity element The j-invariant j(E) = j(a, b) = 1728

4a3 4a3+27b2 determines

isomorphism class over k Given j0 ∈ k, easy to write down curve with j-invariant equal to j0

j(0, b) = 0 and j(a, 0) = 1728 General case: a = −3c and b = 2c with c = j0/(j0 − 1728)

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 7 / 38

Torsion subgroups

Multiplication by n map: [n] : E → E : P → nP n-torsion subgroup is kernel of [n] E[n] = {P ∈ E(k) : nP = O} If char(k) ∤ n, then structure of E[n] ≃ Z/nZ × Z/nZ If char(k) = p, then either:

Supersingular: E[pe] = {O} or Ordinary: E[pe] ≃ Z/peZ

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 8 / 38

Isogenies

An isogeny ϕ : E1 → E2 is a morphism (rational map) that preserves identity The degree of an isogeny is its degree as rational map If isogeny is separable, then deg(ϕ) = # ker(ϕ) For isogeny ϕ : E1 → E2 of degree n we have dual isogeny ˆ ϕ : E2 → E1 with ˆ ϕ ◦ ϕ = [n]E1 and ϕ ◦ ˆ ϕ = [n]E2

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 9 / 38

Isogenies

An isogeny ϕ : E1 → E2 is a morphism (rational map) that preserves identity The degree of an isogeny is its degree as rational map If isogeny is separable, then deg(ϕ) = # ker(ϕ) For isogeny ϕ : E1 → E2 of degree n we have dual isogeny ˆ ϕ : E2 → E1 with ˆ ϕ ◦ ϕ = [n]E1 and ϕ ◦ ˆ ϕ = [n]E2

Theorem

For every finite subgroup H ⊂ E1(k), there exists elliptic curve E2 and separable isogeny ϕ : E1 → E2 with ker ϕ = H V´ elu’s formulae: compute curve E2 and isogeny ϕ given H

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 9 / 38

ℓ-Isogenies and modular polynomial

Let ℓ = char(k) be prime, then isogeny of degree ℓ has cyclic kernel of order ℓ Recall: E[ℓ] = Z/ℓZ × Z/ℓZ, so there are ℓ + 1 cyclic subgroups Each subgroup is kernel of isogeny Isogeny is defined over k iff its kernel is Galois invariant under Gal(k(E[ℓ])/k) So there are: 0, 1, 2 or ℓ + 1, k-rational isogenies

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 10 / 38

ℓ-Isogenies and modular polynomial

Let ℓ = char(k) be prime, then isogeny of degree ℓ has cyclic kernel of order ℓ Recall: E[ℓ] = Z/ℓZ × Z/ℓZ, so there are ℓ + 1 cyclic subgroups Each subgroup is kernel of isogeny Isogeny is defined over k iff its kernel is Galois invariant under Gal(k(E[ℓ])/k) So there are: 0, 1, 2 or ℓ + 1, k-rational isogenies Modular polynomial: Φℓ(X, Y)

Symmetric in X, Y and of degree ℓ + 1 Two elliptic curves E1, E2 are ℓ-isogenous iff Φℓ(j(E1), j(E2)) = 0

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 10 / 38

ℓ-Isogenies and modular polynomial

Let ℓ = char(k) be prime, then isogeny of degree ℓ has cyclic kernel of order ℓ Recall: E[ℓ] = Z/ℓZ × Z/ℓZ, so there are ℓ + 1 cyclic subgroups Each subgroup is kernel of isogeny Isogeny is defined over k iff its kernel is Galois invariant under Gal(k(E[ℓ])/k) So there are: 0, 1, 2 or ℓ + 1, k-rational isogenies Modular polynomial: Φℓ(X, Y)

Symmetric in X, Y and of degree ℓ + 1 Two elliptic curves E1, E2 are ℓ-isogenous iff Φℓ(j(E1), j(E2)) = 0

Elkies algorithm: isogeny and its kernel given j(E1) and j(E2)

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 10 / 38

Endomorphism ring

Endomorphism is an isogeny from E to itself The set of endomorphisms End(E) forms a ring (ϕ + ψ)(P) = ϕ(P) + ψ(P) (ϕψ)(P) = ϕ(ψ(P))

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 11 / 38

Endomorphism ring

Endomorphism is an isogeny from E to itself The set of endomorphisms End(E) forms a ring (ϕ + ψ)(P) = ϕ(P) + ψ(P) (ϕψ)(P) = ϕ(ψ(P))

Theorem

End(E) of a curve E/k can be:

1

End(E) ≃ Z

2

End(E) ≃ an order O in imaginary quadratic extension of Q

3

End(E) ≃ an order O in quaternion algebra over Q If End(E) is strictly larger than Z, then E is said to have complex multiplication Case 3 occurs if and only if E is supersingular (see later)

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 11 / 38

Endomorphism rings of isogenous curves

The endomorphism algebra End0(E) = End(E) ⊗ Q End0(E) is isogeny invariant:

so if E1 is supersingular then also E2

In general End(E1) = End(E2), but for ℓ-isogenies we have

End(E1) = End(E2) (horizontal) End(E1) has index ℓ in End(E2) (ascending) End(E2) has index ℓ in End(E1) (descending)

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 12 / 38

Frobenius endomorphism

Let E be elliptic curve over finite field k = Fq The Frobenius endomorphism πE : E → E : (x, y) → (xq, yq)

Theorem

The characteristic equation of πE is given by X 2 − tX + q = 0 , | t |≤ 2√q and #E(Fq) = q + 1 − t ∆ = t2 − 4q ≤ 0, so Q(πE) is imag quad field K for |t| = 2√q

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 13 / 38

Ordinary curves over finite fields

Curve E/Fq is ordinary iff E[p] = {O} with p = char(Fq) End(E) is order in imaginary quadratic field K = Q(πE) Z[πE] ⊂ End(E) ⊂ OK Write ∆ = t2 − 4q = f 2DK with DK fundamental discriminant of K f = [OK : Z[πE]] Vertical isogenies can only occur for ℓ | f So if ∆ is squarefree then End(E) = Z[πE] = OK, and only horizontal isogenies exist

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 14 / 38

Horizontal isogenies and class group

For simplicity assume: End(E) = Z[πE] = OK For an ideal a ∈ OK define the a-torsion subgroup E[a] = {P ∈ E(k) : α(P) = O for all α ∈ a}

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 15 / 38

Horizontal isogenies and class group

For simplicity assume: End(E) = Z[πE] = OK For an ideal a ∈ OK define the a-torsion subgroup E[a] = {P ∈ E(k) : α(P) = O for all α ∈ a}

Properties

E[a] is kernel of separable horizontal isogeny φa : E → Ea = E/E[a] If char(k) ∤ N(a), then deg(φa) = N(a) = [OK : a] For two ideals a, b of OK we have: φab = φaφb For principal ideal a we have E ≃ Ea

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 15 / 38

Horizontal isogenies and class group

Define EllOK (k) = {j(E) : E/k with End(E) ≃ OK} Then class group cl(OK) acts on EllOK where [a] ⋆ j(E) = j(Ea) The action of cl(OK) on EllOK is simply transitive Conclusion: #EllOK (k) = #h(OK) (or EllOK (k) is empty)

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 16 / 38

Horizontal isogenies and class group

Define EllOK (k) = {j(E) : E/k with End(E) ≃ OK} Then class group cl(OK) acts on EllOK where [a] ⋆ j(E) = j(Ea) The action of cl(OK) on EllOK is simply transitive Conclusion: #EllOK (k) = #h(OK) (or EllOK (k) is empty) For prime ℓ = char(k), require ideal of norm ℓ in OK = Z[πE]

If ℓ splits, then ℓOK = lm, two horizontal isogenies l and m If ℓ ramifies, then ℓOK = l2 so one horizontal isogeny l If ℓ is inert, no horizontal isogenies Ideals are of the form l = ℓ, πE − λ, so kernel is λ-eigenspace of Frobenius in E[ℓ]

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 16 / 38

Example

Let p = 241 and consider E/Fp : y2 = x3 + x + 3, j(E) = 188 Then #E(Fp) = 231 and t = 11 ∆ = t2 − 4p = −843 which is squarefree Define K = Q(πE) = Q[x]/(x2 − tx + p), then OK = Z[πE]

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 17 / 38

Example

Let p = 241 and consider E/Fp : y2 = x3 + x + 3, j(E) = 188 Then #E(Fp) = 231 and t = 11 ∆ = t2 − 4p = −843 which is squarefree Define K = Q(πE) = Q[x]/(x2 − tx + p), then OK = Z[πE] Class group cl(OK) is cyclic of order 6 Generator can be taken: [g] = [11, πE − 1] Small representatives: [g] : 11, πE − 1 [g4] : 7, πE − 1 [g2] : 7, πE − 3 [g5] : 11, πE − 10 [g3] : 3, πE − 1 [g6] : 1

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 17 / 38

Example

j-invariants having same endomorphism ring {160, 161, 188, 195, 65, 191} For primes ℓ ∈ {2, 3, 5, 7, 11}:

No horizontal isogenies of degree 2 and 5 For ℓ = 3, precisely one horizontal isogeny per j-invariant For ℓ = 7, 11, precisely two horizontal isogenies per j-invariant

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 18 / 38

Isogeny graph on EllOK(k) ℓ = 3

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 19 / 38

Isogeny graph on EllOK(k) ℓ = 7

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 20 / 38

Isogeny graph on EllOK(k) ℓ = 11

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 21 / 38

Isogeny graph on EllOK(k) ℓ = 3, 5, 11

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 22 / 38

Computing class action

System setup: curve E/Fq with #E(Fq) = q + 1 − t points ∆ = t2 − 4q squarefree so End(E) = Z[πE] with π2

E − tπE + q = 0

If f(x) = x2 − tx + q has two roots λ, µ modulo ℓ, then ℓOK = ml with m = ℓ, πE − λ and l = ℓ, πE − µ

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 23 / 38

Computing class action

System setup: curve E/Fq with #E(Fq) = q + 1 − t points ∆ = t2 − 4q squarefree so End(E) = Z[πE] with π2

E − tπE + q = 0

If f(x) = x2 − tx + q has two roots λ, µ modulo ℓ, then ℓOK = ml with m = ℓ, πE − λ and l = ℓ, πE − µ Given j-invariant j(E) and ideal l = ℓ, πE − λ in OK of norm ℓ

Compute possible j-invariants j1, j2 as roots of Φℓ(x, j(E)) = 0 For j1 use Elkies’ algorithm to compute curve E′ with j(E′) = j1 and kernel H of isogeny If H eigenspace corresponding to λ, then correct Otherwise select j2

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 23 / 38

Sampling elements in cl(OK)

Do not want to compute h(OK) nor the structure of cl(OK) Under GRH there exists constant c0 such that degree one ideals

• f norm smaller than ℓmax = co log2 | ∆ | generate cl(OK)

L = {li degree one N(li) = ℓi and ℓi ≤ ℓmax} To select a ”random” element, select exponents ei for i = 1, . . . , #L and set a =

#L

• i=1

liei Box containing exponents should have volume ≫ h(OK) Very slow: Stolbunov for 428-bit prime p requires 230s

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 24 / 38

Ordinary isogeny computation: hardness

Given two ordinary elliptic curves E1/Fq and E2/Fq with End(E1) = End(E2) Classical computers: algorithm of Galbraith, Hess, Smart (optimized by Stolbunov) computes isogeny in time ˜ O(q1/4+o(1)) Quantum computers: Childs, Jao, Soukharev algorithm runs in time Lq(1 2, √ 3 2 )

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 25 / 38

Ordinary isogeny computation: hardness

Given two ordinary elliptic curves E1/Fq and E2/Fq with End(E1) = End(E2) Classical computers: algorithm of Galbraith, Hess, Smart (optimized by Stolbunov) computes isogeny in time ˜ O(q1/4+o(1)) Quantum computers: Childs, Jao, Soukharev algorithm runs in time Lq(1 2, √ 3 2 )

Abelian hidden shift problem

Let A be a finite abelian group and f0 : A → R an injective function Let f1 : A → R be defined by f1(x) = f0(xs) for some unknown s Problem: find s Isogeny setting: f0([a]) = [a] ⋆ E1 and f1([a]) = [a] ⋆ E2 We know that for some secret [s] we have E2 = [s] ⋆ E1

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 25 / 38

Supersingular curves

E over Fq with q = pn is supersingular iff E[p] = {O} End(E) isomorphic to an order in a quaternion algebra All supersingular curves can be defined over Fp2 Let Sp2 be the set of all supersingular j-invariants in Fp2

Theorem

#Sp2 = p 12

• +

   if p ≡ 1 mod 12 1 if p ≡ 5, 7 mod 12 2 if p ≡ 11 mod 12

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 26 / 38

Supersingular isogeny graph

E[ℓ] ≃ (Z/ℓ) × (Z/ℓ), so subgroup Hi of order ℓ gives isogeny ψi : E → Ei ≃ E/Hi Isogenous curve Ei is supersingular so has j-invariant in Sp2 Immediately leads to ℓ + 1 directed regular graph X(Sp2, ℓ)

Theorem

The graph X(Sp2, ℓ) is connected.

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 27 / 38

Supersingular isogeny graph

E[ℓ] ≃ (Z/ℓ) × (Z/ℓ), so subgroup Hi of order ℓ gives isogeny ψi : E → Ei ≃ E/Hi Isogenous curve Ei is supersingular so has j-invariant in Sp2 Immediately leads to ℓ + 1 directed regular graph X(Sp2, ℓ)

Theorem

The graph X(Sp2, ℓ) is connected. Edges (j1, j2) not incident to 0 or 1728 have same multiplicity as (j2, j1) Obtain undirected graph X(S′

p2, ℓ) with S′ p2 = Sp2 \ {0, 1728}

For p ≡ 1 mod 12, we have S′

p2 = Sp2

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 27 / 38

Supersingular isogeny graph: example

Let p = 241, then #Sp2 = 20 Fp2 = Fp[w] = Fp[x]/(x2 + 238x + 7) Sp2 = {93, 51w + 30, 190w + 183, 240, 216, 45w + 211, 196w + 105, 64, 155w + 3, 74w + 50, 86w + 227, 167w + 31, 175w + 237, 66w +39, 8, 23w +193, 218w +21, 28, 49w +112, 192w +18}

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 28 / 38

Supersingular isogeny graph ℓ = 2

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 29 / 38

Supersingular isogeny graph ℓ = 3

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 30 / 38

Expander graphs

An undirected graph G = (V, E) is an expander graph with expansion constant c > 0, if for any subset U ⊂ V and |U| ≤ |V|/2, its boundary Γ(U) has size |Γ(U)| ≥ c|U|. An expander graph is connected. Diameter of G is maximal distance between any two vertices in a graph. For expander graph: Diam(G) ≤ 2 log(|V|) log(1 + c)

Theorem

For p ≡ 1 mod 12, the graph X(Sp2, ℓ) is a Ramanujan graph, i.e. an expander graph with ”optimal” expansion factor.

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 31 / 38

Idea 2: a commutative diagram

de Feo, Jao, Plˆ ut derive Diffie-Hellman type key agreement on Sp2 Basic idea: commutative diagram E φ✲ E/P E/Q ψ

❄ ✲ E/P, Q ❄

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 32 / 38

Idea 2: a commutative diagram

de Feo, Jao, Plˆ ut derive Diffie-Hellman type key agreement on Sp2 Basic idea: commutative diagram E φ✲ E/P E/Q ψ

❄ ✲ E/P, Q ❄

Common key will be j-invariant of curve E/P, Q P and Q should be kept secret

Should also be impossible to derive from E and E/P and E/Q

Need to know φ(Q) to be able to compute E/P

But at the same time φ(Q) should be secret . . .

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 32 / 38

SIDH: de Feo, Jao, Plˆ ut

Take prime p = ℓeA

A ℓeB B · f ± 1 and supersingular curve E over Fp

with #E(Fp2) = (p ∓ 1)2 = (ℓeA

A ℓeB B · f)2

With E[ℓeA

A ] rational over Fp2 (similarly for ℓB)

Contains ℓeA

A + ℓeA−1 A

cyclic subgroups of order ℓeA

A

Any point P of order ℓeA

A defines path of length eA in X(Sp2, ℓA)

starting from j(E)

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 33 / 38

SIDH: de Feo, Jao, Plˆ ut

Let {PA, QA} and {PB, QB} be public bases of E[ℓeA

A ] and E[ℓeB B ]

Alice Bob mA, nA ∈R Z/ℓeA

A

mB, nB ∈R Z/ℓeB

B

P = mAPA + nAQA Q = mBPB + nBQB φA : E → EA = E/P φB : E → EB = E/Q EA, φA(PB), φA(QB) − → EB, φB(PA), φB(QA) ← − φB(P) = φA(Q) = mAφB(PA) + nAφB(QA) mBφA(PB) + nBφA(QB) EAB = EB/φB(P) EBA = EA/φA(Q)

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 34 / 38

Computing power ℓ isogenies

Let P be a point of order ℓe, and isogeny φ : E → E/P Decompose φ as φe−1 ◦ φe−2 ◦ · · · ◦ φ0 with E0 = E and P0 = P φi : Ei → Ei+1 Ei+1 = Ei/ℓe−i−1Pi Pi+1 = φi(Pi) Multipilication based strategy:

compute ℓe−i−1Pi, then φi and then Pi+1

Isogeny based strategy:

compute all powers once Qi = ℓiP, compute φ0 and apply φ0 to all Qi for 0 ≤ i ≤ (e − 2) and repeat for φ1, . . . , φe−1

de Feo, Jao, Plˆ ut: optimal strategy that uses a mix of both

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 35 / 38

SIDH implementation

Costello, Longa, Naehrig: curve y2 = x3 + x over field Fp with p = 23723239 − 1 Security: classical 192 bits, post-quantum 128 bits Large number of optimizations in curve model, base points, isogeny computation Full key agreement in 108 cycles (roughly 30 per second on PC)

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 36 / 38

Supersingular isogeny computation: hardness

Classical computers Given two supersingular elliptic curves E1 and E2 over Fp2, can compute isogeny in time ˜ O(p1/4) But: problem is much less general, since degree is known ℓeA

A and

< √p, so both curves are not that far apart in isogeny graph Claw problem: given two functions f : A → C and g : B → C find pair (a, b) with f(a) = g(b) Let A (resp. B) be subgroups of order ℓeA/2

A

• n E1 (resp. on E2)

and f and g maps induced by isogeny Again O(p1/4) attack

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 37 / 38

Supersingular isogeny computation: hardness

Quantum computers Claw problem can be solved in time O(p1/6) Abelian hidden shift problem?

de Feo, Jao, Plˆ ut argue this does not apply since End(E) is not abelian Do we need full End(E)? Is there a natural group action in this case?

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 38 / 38

Supersingular isogeny computation: hardness

Quantum computers Claw problem can be solved in time O(p1/6) Abelian hidden shift problem?

de Feo, Jao, Plˆ ut argue this does not apply since End(E) is not abelian Do we need full End(E)? Is there a natural group action in this case?

Can people in this room do better?

Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 38 / 38