elliptic curve isogeny based cryptosystems
play

Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren - PowerPoint PPT Presentation

Jan 11, 2024 •313 likes •839 views

Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China) KU Leuven ESAT/COSIC (Belgium) frederik.vercauteren@gmail.com 23 August 2016 Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23

  1. Elliptic Curve Isogeny Based Cryptosystems Frederik Vercauteren Open Security Research (China) KU Leuven ESAT/COSIC (Belgium) frederik.vercauteren@gmail.com 23 August 2016 Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 1 / 38

  2. Elliptic curves and isogenies 1 Ordinary isogeny Diffie-Hellman 2 Supersingular isogeny Diffie-Hellman 3 Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 2 / 38

  3. Post-quantum cryptography Shor’s algorithm: breaks RSA, DLP , ECDLP in polytime on quantum computer Post-quantum cryptographic systems: Code-based crypto: McEliece, . . . Lattice based crypto: NTRU, LWE, . . . Hash-based crypto: Merkle hash tree signatures, . . . Multivariate crypto: Hidden Field Equations, . . . What about isogeny based crypto ? Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 3 / 38

  4. Isogeny based crypto: history Diffie-Hellman key agreement: 1997: Couveignes: Talk at ENS about ”Hard Homogeneous Spaces” 2006: Rostovtsev, Stolbunov: ordinary isogeny Diffie-Hellman 2010: Weiwei, Debiao: key agreement protocols 2011: de Feo, Jao, Plˆ ut: supersingular isogeny Diffie-Hellman 2016: Costello, Longa, Naehrig: efficient implementation of SIDH Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 4 / 38

  5. Isogeny based crypto: history Diffie-Hellman key agreement: 1997: Couveignes: Talk at ENS about ”Hard Homogeneous Spaces” 2006: Rostovtsev, Stolbunov: ordinary isogeny Diffie-Hellman 2010: Weiwei, Debiao: key agreement protocols 2011: de Feo, Jao, Plˆ ut: supersingular isogeny Diffie-Hellman 2016: Costello, Longa, Naehrig: efficient implementation of SIDH Other cryptographic constructions: 2003: Teske: elliptic curve trapdoor system 2004: Rostovtsev, Makhovenko, Shemyakina: ordered digital signature scheme 2009: Charles, Lauter, Goren: hash function based on isogeny graph 2010-2011: Debiao, Jianhua and Jin: random number generator and key agreement 2014: Sun, Tian, Wang: strong designated verifier signature 2014: Jao, Soukharev: undeniable signatures Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 4 / 38

  6. Idea 1: Diffie-Hellman from abelian group action Let G be a finite abelian group and X a set with a group action ⋆ G × X → X : ( g , x ) �→ g ⋆ x Recall ( gh ) ⋆ x = g ⋆ ( h ⋆ x ) and e ⋆ x = x Key agreement: Alice Bob a ∈ R G b ∈ R G α = a ⋆ x β = b ⋆ x α − → β ← − k = a ⋆ β = ( ab ) ⋆ x k = b ⋆ α = ( ba ) ⋆ x Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 5 / 38

  7. Idea 1: instantiation Couveignes (1997), Rostovtsev, Stolbunov (2006) Set X consists of j -invariants of elliptic curves E / F q with End ( E ) ≃ O K , ring of integers of quadratic imaginary field Group G is class group cl ( O K ) Ideal a in O K defines a subgroup E [ a ] and isogeny ϕ a : E → E ′ = E / E [ a ] Action: [ a ] ⋆ j ( E ) = j ( E ′ ) Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 6 / 38

  8. Elliptic curves Elliptic curve E over field k with char ( k ) > 3 can be defined by y 2 = x 3 + ax + b 4 a 3 + 27 b 2 � = 0 a , b ∈ k , For any field extension k ′ / k , E ( k ′ ) set of k ′ -rational points forms an abelian group with O as identity element Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 7 / 38

  9. Elliptic curves Elliptic curve E over field k with char ( k ) > 3 can be defined by y 2 = x 3 + ax + b 4 a 3 + 27 b 2 � = 0 a , b ∈ k , For any field extension k ′ / k , E ( k ′ ) set of k ′ -rational points forms an abelian group with O as identity element 4 a 3 The j -invariant j ( E ) = j ( a , b ) = 1728 4 a 3 + 27 b 2 determines isomorphism class over k Given j 0 ∈ k , easy to write down curve with j -invariant equal to j 0 j ( 0 , b ) = 0 and j ( a , 0 ) = 1728 General case: a = − 3 c and b = 2 c with c = j 0 / ( j 0 − 1728 ) Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 7 / 38

  10. Torsion subgroups Multiplication by n map: [ n ] : E → E : P �→ nP n -torsion subgroup is kernel of [ n ] E [ n ] = { P ∈ E ( k ) : nP = O } If char ( k ) ∤ n , then structure of E [ n ] ≃ Z / n Z × Z / n Z If char ( k ) = p , then either: Supersingular: E [ p e ] = { O } or Ordinary: E [ p e ] ≃ Z / p e Z Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 8 / 38

  11. Isogenies An isogeny ϕ : E 1 → E 2 is a morphism (rational map) that preserves identity The degree of an isogeny is its degree as rational map If isogeny is separable, then deg ( ϕ ) = # ker ( ϕ ) For isogeny ϕ : E 1 → E 2 of degree n we have dual isogeny ϕ : E 2 → E 1 with ˆ ϕ ◦ ϕ = [ n ] E 1 and ϕ ◦ ˆ ˆ ϕ = [ n ] E 2 Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 9 / 38

  12. Isogenies An isogeny ϕ : E 1 → E 2 is a morphism (rational map) that preserves identity The degree of an isogeny is its degree as rational map If isogeny is separable, then deg ( ϕ ) = # ker ( ϕ ) For isogeny ϕ : E 1 → E 2 of degree n we have dual isogeny ϕ : E 2 → E 1 with ˆ ϕ ◦ ϕ = [ n ] E 1 and ϕ ◦ ˆ ˆ ϕ = [ n ] E 2 Theorem For every finite subgroup H ⊂ E 1 ( k ) , there exists elliptic curve E 2 and separable isogeny ϕ : E 1 → E 2 with ker ϕ = H V´ elu’s formulae : compute curve E 2 and isogeny ϕ given H Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 9 / 38

  13. ℓ -Isogenies and modular polynomial Let ℓ � = char ( k ) be prime, then isogeny of degree ℓ has cyclic kernel of order ℓ Recall: E [ ℓ ] = Z /ℓ Z × Z /ℓ Z , so there are ℓ + 1 cyclic subgroups Each subgroup is kernel of isogeny Isogeny is defined over k iff its kernel is Galois invariant under Gal ( k ( E [ ℓ ]) / k ) So there are: 0, 1, 2 or ℓ + 1, k -rational isogenies Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 10 / 38

  14. ℓ -Isogenies and modular polynomial Let ℓ � = char ( k ) be prime, then isogeny of degree ℓ has cyclic kernel of order ℓ Recall: E [ ℓ ] = Z /ℓ Z × Z /ℓ Z , so there are ℓ + 1 cyclic subgroups Each subgroup is kernel of isogeny Isogeny is defined over k iff its kernel is Galois invariant under Gal ( k ( E [ ℓ ]) / k ) So there are: 0, 1, 2 or ℓ + 1, k -rational isogenies Modular polynomial : Φ ℓ ( X , Y ) Symmetric in X , Y and of degree ℓ + 1 Two elliptic curves E 1 , E 2 are ℓ -isogenous iff Φ ℓ ( j ( E 1 ) , j ( E 2 )) = 0 Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 10 / 38

  15. ℓ -Isogenies and modular polynomial Let ℓ � = char ( k ) be prime, then isogeny of degree ℓ has cyclic kernel of order ℓ Recall: E [ ℓ ] = Z /ℓ Z × Z /ℓ Z , so there are ℓ + 1 cyclic subgroups Each subgroup is kernel of isogeny Isogeny is defined over k iff its kernel is Galois invariant under Gal ( k ( E [ ℓ ]) / k ) So there are: 0, 1, 2 or ℓ + 1, k -rational isogenies Modular polynomial : Φ ℓ ( X , Y ) Symmetric in X , Y and of degree ℓ + 1 Two elliptic curves E 1 , E 2 are ℓ -isogenous iff Φ ℓ ( j ( E 1 ) , j ( E 2 )) = 0 Elkies algorithm : isogeny and its kernel given j ( E 1 ) and j ( E 2 ) Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 10 / 38

  16. Endomorphism ring Endomorphism is an isogeny from E to itself The set of endomorphisms End ( E ) forms a ring ( ϕ + ψ )( P ) = ϕ ( P ) + ψ ( P ) ( ϕψ )( P ) = ϕ ( ψ ( P )) Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 11 / 38

  17. Endomorphism ring Endomorphism is an isogeny from E to itself The set of endomorphisms End ( E ) forms a ring ( ϕ + ψ )( P ) = ϕ ( P ) + ψ ( P ) ( ϕψ )( P ) = ϕ ( ψ ( P )) Theorem End ( E ) of a curve E / k can be: End ( E ) ≃ Z 1 End ( E ) ≃ an order O in imaginary quadratic extension of Q 2 End ( E ) ≃ an order O in quaternion algebra over Q 3 If End ( E ) is strictly larger than Z , then E is said to have complex multiplication Case 3 occurs if and only if E is supersingular (see later) Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 11 / 38

  18. Endomorphism rings of isogenous curves The endomorphism algebra End 0 ( E ) = End ( E ) ⊗ Q End 0 ( E ) is isogeny invariant: so if E 1 is supersingular then also E 2 In general End ( E 1 ) � = End ( E 2 ) , but for ℓ -isogenies we have End ( E 1 ) = End ( E 2 ) (horizontal) End ( E 1 ) has index ℓ in End ( E 2 ) (ascending) End ( E 2 ) has index ℓ in End ( E 1 ) (descending) Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 12 / 38

  19. Frobenius endomorphism Let E be elliptic curve over finite field k = F q The Frobenius endomorphism π E : E → E : ( x , y ) �→ ( x q , y q ) Theorem The characteristic equation of π E is given by | t |≤ 2 √ q X 2 − tX + q = 0 , and # E ( F q ) = q + 1 − t ∆ = t 2 − 4 q ≤ 0, so Q ( π E ) is imag quad field K for | t | � = 2 √ q Frederik Vercauteren Elliptic Curve Isogeny Based Cryptosystems 23 August 2016 13 / 38

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8,

isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8,

An introduction to supersingular isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8, 2017 ibenik , Croatia T owards quantum-resistant cryptosystems from supersingular elliptic curve isogenies

1.46k views • 51 slides
Isogeny based crypto: whats under the hood? Luca De Feo Universit Paris Saclay UVSQ Nov

Isogeny based crypto: whats under the hood? Luca De Feo Universit Paris Saclay UVSQ Nov

Isogeny based crypto: whats under the hood? Luca De Feo Universit Paris Saclay UVSQ Nov 15, 2018, cole des Mines de Saint-tienne, Gardanne Elliptic curves Let E y 2 x 3 ax b be an elliptic curve... R Q P P Q

715 views • 57 slides
Fault Attacks on Elliptic Curve Cryptosystems Marc Joye Thomson Security Labs

Fault Attacks on Elliptic Curve Cryptosystems Marc Joye Thomson Security Labs

Fault Attacks on Elliptic Curve Cryptosystems Marc Joye Thomson Security Labs marc.joye@thomson.net CryptoPuces 2009 Porquerolles, June 26, 2009 Outline Elliptic Curve Cryptography Inducing Faults Fault Attacks Countermeasures

363 views • 24 slides
Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics, University of Auckland PQCrypto 2017, 26th of June 1/15 Outline 1 Preliminaries Introduction Supersingular isogenies SSI cryptosystems 2 Fault attack

378 views • 33 slides
Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de

Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de

Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de lcole polytechnique (LIX) 1 Arithmetic of low-dimensional abelian varieties // ICERM // 6/6/19 Elliptic curve cryptography 1 Breaking keypairs

821 views • 57 slides
20 years of isogeny-based cryptography Luca De Feo feat. Jean Kieffer, Benjamin Smith

20 years of isogeny-based cryptography Luca De Feo feat. Jean Kieffer, Benjamin Smith

20 years of isogeny-based cryptography Luca De Feo feat. Jean Kieffer, Benjamin Smith Universit Paris Saclay, UVSQ & Inria November 14, 2017, Elliptic Curve Cryptography, Nijmegen Slides online at http://defeo.lu/docet/ Overview

1.07k views • 84 slides
Quick Review: Quadratic Residues Koblitzs Method We want to solve equations like: All of the

Quick Review: Quadratic Residues Koblitzs Method We want to solve equations like: All of the

Elliptic Curves Suppose F is a field and a 1 , . . . , a 6 F . Elliptic Curve Cryptography Definition 1. An elliptic curve E over a field F is a curve given by an equation: Jim Royer Y 2 + a 1 XY + a 3 Y X 3 + a 2 X 2 + a 4 X + a 6 = (1)

337 views • 5 slides
Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve

Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve

Cryptography Elliptic Curve Cryptography Overview of Elliptic Curve Cryptography Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve Cryptography Cryptography in OpenSSL School of Engineering and

857 views • 17 slides
On the Security of Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

On the Security of Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

On the Security of Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics, University of Auckland AsiaCrypt 2016, 5th of December 1/17 Outline Joint work with Steven Galbraith , Christophe Petit and Barak Shani . 1

242 views • 23 slides
Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Tanja Lange

318 views • 29 slides
Exploring Isogeny Graphs Around the Volcano in 2 80 Days Luca De Feo hand drawings by Rachel

Exploring Isogeny Graphs Around the Volcano in 2 80 Days Luca De Feo hand drawings by Rachel

Exploring Isogeny Graphs Around the Volcano in 2 80 Days Luca De Feo hand drawings by Rachel Deyts Universit Paris Saclay UVSQ Dec 14, 2018, UVSQ, Versailles Elliptic curves Let E y 2 x 3 ax b be an elliptic curve...

1.02k views • 85 slides
An introduction to supersingular isogeny-based cryptography Craig Costello November 10 ECC 2017

An introduction to supersingular isogeny-based cryptography Craig Costello November 10 ECC 2017

An introduction to supersingular isogeny-based cryptography Craig Costello November 10 ECC 2017 Nijmegen, The Netherlands W. Castryck (GIF): Elliptic curves are dead: long live elliptic curves https://www.esat.kuleuven.be/cosic/?p=7404

1.07k views • 78 slides
Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein Through our inefficient use of University of Illinois at Chicago & energy (gas

1.07k views • 76 slides
Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Counting points on elliptic curves over F q Christiane Peters DIAMANT-Summer School on Elliptic and Hyperelliptic Curve Cryptography September 17, 2008 Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm

587 views • 30 slides
Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a

Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a

Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a nonsingular plane cu- Theorem (Mordell). The group E ( Q ) of rational points on an bic curve with a rational point (possibly at elliptic curve is a

402 views • 7 slides
Loop-abort faults on supersingular isogeny cryptosystems Alexandre Glin Benjamin Wesolowski

Loop-abort faults on supersingular isogeny cryptosystems Alexandre Glin Benjamin Wesolowski

Loop-abort faults on supersingular isogeny cryptosystems Alexandre Glin Benjamin Wesolowski Laboratoire dInformatique de Paris 6 Sorbonne Universits UPMC, France cole Polytechnique Fdrale de Lausanne, EPFL IC LACAL, Switzerland

955 views • 58 slides
A survey of Key Management for Secure Group Communication Sandro Rafaeli and David Hutchison

A survey of Key Management for Secure Group Communication Sandro Rafaeli and David Hutchison

A survey of Key Management for Secure Group Communication Sandro Rafaeli and David Hutchison Presented By: Anil Bazaz CS6204, Spring 2005 Intro: Group Communication Uses IP multicast to transmit data Does not limit access to data No

543 views • 19 slides
Crypto Fundamentals Dr. Mohammed Shafiul Alam Khan Assistant Professor Institute of Information

Crypto Fundamentals Dr. Mohammed Shafiul Alam Khan Assistant Professor Institute of Information

Crypto Fundamentals Dr. Mohammed Shafiul Alam Khan Assistant Professor Institute of Information Technology (IIT), University of Dhaka (DU) shafiul@du.ac.bd December 10, 2017 M S A Khan (IIT, DU) Crypto Fundamentals December 10, 2017 1 / 31

596 views • 32 slides
Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to

Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to

Note: Log = logarithm, not Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to Cryptography 1 References Symmetric and Asymmetric Cryptosystems Public-Key Cryptosystems Based on the Discrete

436 views • 9 slides
Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South

Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South

Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South Florida FWIMD - February 9, 2019 The key exchange problem ALICE and BELLE, communicating over a public channel, want to agree on a common secret

499 views • 18 slides
POST-QUANTUM CRYPTOGRAPHY HOW WILL WE ENCRYPT TOMORROW? Hanno Bck https://hboeck.de 1

POST-QUANTUM CRYPTOGRAPHY HOW WILL WE ENCRYPT TOMORROW? Hanno Bck https://hboeck.de 1

POST-QUANTUM CRYPTOGRAPHY HOW WILL WE ENCRYPT TOMORROW? Hanno Bck https://hboeck.de 1 INTRODUCTION Hanno Bck, freelance journalist and hacker. Writing for Golem.de and others. Fuzzing Project , funded by Linux Foundation's Core

1.09k views • 46 slides
Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography Asymmetric cryptography Invented in 1974-1978 (Diffie-Hellman and Rivest-Shamir- Adleman) Two keys: private (SK), public (PK) Encryption: with

445 views • 17 slides
Fast, uniform scalar multiplication for genus 2 Jacobians with fast Kummers Ping Ngai (Brian)

Fast, uniform scalar multiplication for genus 2 Jacobians with fast Kummers Ping Ngai (Brian)

Fast, uniform scalar multiplication for genus 2 Jacobians with fast Kummers Ping Ngai (Brian) Chung Craig Costello Benjamin Smith University of Chicago Microsoft Research INRIA + Laboratoire dInformatique de l Ecole polytechnique

498 views • 20 slides
What is cryptography about? loru23n8uladjkfb!#@ I will cut your throat

What is cryptography about? loru23n8uladjkfb!#@ I will cut your throat

15-251 Great Ideas in Theoretical Computer Science Lecture 27: Cryptography November 30th, 2017 What is cryptography about? loru23n8uladjkfb!#@ I will cut your throat loru23n8uladjkfb!#@ encryption decryption

435 views • 17 slides

More recommend