https://www.microsoft.com/en-us/research/people/plonga/ Quick - - PowerPoint PPT Presentation

https microsoft com en us research people plonga quick
SMART_READER_LITE
LIVE PREVIEW

https://www.microsoft.com/en-us/research/people/plonga/ Quick - - PowerPoint PPT Presentation

Jul 26, 2023 279 likes •697 views

https://www.microsoft.com/en-us/research/people/plonga/ Quick motivation recap Quantum computers break public -key cryptography currently in use: cryptosystems based on factoring and (elliptic curve) discrete logarithms NIST launches

slide-1
SLIDE 1

https://www.microsoft.com/en-us/research/people/plonga/

slide-2
SLIDE 2

Quick motivation recap

Quantum computers break public

  • key cryptography currently in use:

cryptosystems based on factoring and (elliptic curve) discrete logarithms NIST launches the post

  • quantum cryptography standardization project:

https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/ call-for-proposals-final-dec-2016.pdf

“The goal of this process is to select a number of acceptable candidate cryptosystems for standardization.” (This includes: digital signatures, encryption and key encapsulation).

Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 1

slide-3
SLIDE 3

Post-quantum candidates

Code-based Lattice-based Hash-based Multivariate Isogeny-based McEliece NTRU, LWE-based Merkle’s hash-tree signatures HFEv- signature scheme SIDH, SIKE

Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 2

slide-4
SLIDE 4

Post-quantum candidates: : in this talk…

Code-based Lattice-based Hash-based Multivariate McEliece NTRU, LWE-based Merkle’s hash-tree signatures HFEv- signature scheme Isogeny-based SIDH, SIKE

Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 2

slide-5
SLIDE 5

(A brief) Timeline of isogeny-based crypto, part I

1996 Couveignes describes first isogeny-based (key exchange) scheme. 2006 Rostovtsev and Stolbunov, and later Stolbunov (2010), propose key exchange using

  • rdinary isogenies.
  • These schemes are impractical, and
  • Can be broken in (quantum) subexponential time (Childs, Jao and Soukharev 2010).

2010 Jao and De Feo propose key exchange using supersingular isogenies (SIDH).

  • Much better performance.
  • Best quantum and classical attack complexity is, as of today, exponential.

Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 3

slide-6
SLIDE 6

Supersingular Is Isogeny Dif iffi fie-Hellman (S (SID IDH)

Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 4

𝐹0

private Alice public

E ’s are isogenous curves P ’s, Q ’s, R ’s, S ’s are points

private Bob params

slide-7
SLIDE 7

Supersingular Is Isogeny Dif iffi fie-Hellman (S (SID IDH)

Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 4

𝐹0

private Alice public

E ’s are isogenous curves P ’s, Q ’s, R ’s, S ’s are points

private Bob params

slide-8
SLIDE 8

Supersingular Is Isogeny Dif iffi fie-Hellman (S (SID IDH)

Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 4

𝐹0 𝐹𝐵= 𝐹0/ 𝐵

private Alice public

E ’s are isogenous curves P ’s, Q ’s, R ’s, S ’s are points

private Bob params

slide-9
SLIDE 9

Supersingular Is Isogeny Dif iffi fie-Hellman (S (SID IDH)

Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 4

𝐹0 𝐹𝐵 𝐹𝐶 = 𝐹0/ 𝐶

= 𝐹0/ 𝐵

private Alice public

E ’s are isogenous curves P ’s, Q ’s, R ’s, S ’s are points

private Bob params

slide-10
SLIDE 10

Supersingular Is Isogeny Dif iffi fie-Hellman (S (SID IDH)

Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 4

𝐹0 𝐹𝐵 𝐹𝐶 = 𝐹0/ 𝐶

= 𝐹0/ 𝐵

private Alice public

E ’s are isogenous curves P ’s, Q ’s, R ’s, S ’s are points

private Bob params

slide-11
SLIDE 11

Supersingular Isogeny Diffie-Hellman (SIDH)

Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 4

𝐹0

𝑆𝐵, 𝑇𝐵 = {𝜚𝐵 𝑄𝐶 , 𝜚𝐵(𝑅𝐶)}

𝐹𝐵

𝑆𝐶, 𝑇𝐶 = {𝜚𝐶 𝑄

𝐵 , 𝜚𝐶(𝑅𝐵)}

𝐹𝐶 = 𝐹0/ 𝐶

= 𝐹0/ 𝐵

private Alice public

E ’s are isogenous curves P ’s, Q ’s, R ’s, S ’s are points

private Bob params

slide-12
SLIDE 12

Supersingular Isogeny Diffie-Hellman (SIDH)

Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 4

𝐹0

𝑆𝐵, 𝑇𝐵 = {𝜚𝐵 𝑄𝐶 , 𝜚𝐵(𝑅𝐶)}

𝐹𝐵

𝑆𝐶, 𝑇𝐶 = {𝜚𝐶 𝑄

𝐵 , 𝜚𝐶(𝑅𝐵)}

𝐹𝐶

𝜚𝐵

𝑙𝑓𝑠(𝜚𝐵

′ ) = 𝐵′ = 𝑆𝐶 + [𝑡𝐵]𝑇𝐶

𝐹𝐶𝐵= 𝐹𝐶/ 𝐵′

= 𝐹0/ 𝐶 = 𝐹0/ 𝐵

private Alice public

E ’s are isogenous curves P ’s, Q ’s, R ’s, S ’s are points

private Bob params

slide-13
SLIDE 13

Supersingular Is Isogeny Dif iffi fie-Hellman (S (SID IDH)

Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 4

𝐹0 𝐹𝐵 𝐹𝐶

𝜚𝐶

𝜚𝐵

𝑙𝑓𝑠 𝜚𝐶

= 𝐶′ = 𝑆𝐵 + [𝑡𝐶]𝑇𝐵

𝐹𝐵𝐶 𝐹𝐶𝐵

= 𝐹𝐵/ 𝐶′ 𝑆𝐵, 𝑇𝐵 = {𝜚𝐵 𝑄𝐶 , 𝜚𝐵(𝑅𝐶)} 𝑆𝐶, 𝑇𝐶 = {𝜚𝐶 𝑄

𝐵 , 𝜚𝐶(𝑅𝐵)}

= 𝐹0/ 𝐶 = 𝐹0/ 𝐵

𝑙𝑓𝑠(𝜚𝐵

′ ) = 𝐵′ = 𝑆𝐶 + [𝑡𝐵]𝑇𝐶

= 𝐹𝐶/ 𝐵′

private Alice public

E ’s are isogenous curves P ’s, Q ’s, R ’s, S ’s are points

private Bob params

slide-14
SLIDE 14

Supersingular Is Isogeny Dif iffi fie-Hellman (S (SID IDH)

Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 4

𝐹0 𝐹𝐵 𝐹𝐶

𝜚𝐶

𝜚𝐵

𝑙𝑓𝑠 𝜚𝐶

= 𝐶′ = 𝑆𝐵 + [𝑡𝐶]𝑇𝐵

𝐹𝐵𝐶 𝐹𝐶𝐵

= 𝐹𝐵/ 𝐶′ 𝑆𝐵, 𝑇𝐵 = {𝜚𝐵 𝑄𝐶 , 𝜚𝐵(𝑅𝐶)} 𝑆𝐶, 𝑇𝐶 = {𝜚𝐶 𝑄

𝐵 , 𝜚𝐶(𝑅𝐵)}

= 𝐹0/ 𝐶 = 𝐹0/ 𝐵

𝑙𝑓𝑠(𝜚𝐵

′ ) = 𝐵′ = 𝑆𝐶 + [𝑡𝐵]𝑇𝐶

= 𝐹𝐶/ 𝐵′

𝐹𝐵𝐶 = 𝜚𝐶

′ (𝜚𝐵(𝐹0)) ≅ 𝐹0/ 𝑄 𝐵 + [𝑡𝐵]𝑅𝐵, 𝑄𝐶 + [𝑡𝐶]𝑅𝐶 ≅ 𝐹𝐶𝐵 = 𝜚𝐵 ′ (𝜚𝐶 𝐹0 )

private Alice public

E ’s are isogenous curves P ’s, Q ’s, R ’s, S ’s are points

private Bob params

slide-15
SLIDE 15

Supersingular Is Isogeny Dif iffi fie-Hellman (S (SID IDH)

Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 4

𝐹0 𝐹𝐵 𝐹𝐶

𝑆𝐵, 𝑇𝐵 = {𝜚𝐵 𝑄𝐶 , 𝜚𝐵(𝑅𝐶)} 𝑆𝐶, 𝑇𝐶 = {𝜚𝐶 𝑄

𝐵 , 𝜚𝐶(𝑅𝐵)}

𝐹𝐵𝐶 = 𝜚𝐶

′ (𝜚𝐵(𝐹0)) ≅ 𝐹0/ 𝑄 𝐵 + [𝑡𝐵]𝑅𝐵, 𝑄𝐶 + [𝑡𝐶]𝑅𝐶 ≅ 𝐹𝐶𝐵 = 𝜚𝐵 ′ (𝜚𝐶 𝐹0 )

𝐹0/ 𝐵, 𝐶

= 𝐹0/ 𝐶 = 𝐹0/ 𝐵

private Alice public

E ’s are isogenous curves P ’s, Q ’s, R ’s, S ’s are points

private Bob params

slide-16
SLIDE 16

SIDH security

Setting: supersingular curves 𝐹1/𝔾𝑞2 and 𝐹2/𝔾𝑞2, a large prime 𝑞, and isogeny 𝜚: 𝐹1 → 𝐹2 with fixed, smooth, public degree. Supersingular isogeny problem: given 𝑄, 𝑅 ∈ 𝐹1 and 𝜚 𝑄

1 , 𝜚 𝑄2 ∈ 𝐹2, compute 𝜚.

  • Best known attacks: classical 𝑃(𝑞1/4) and quantum 𝑃(𝑞1/6) via generic claw finding algorithms

Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 5

slide-17
SLIDE 17

Supersingular Is Isogeny Dif iffi fie-Hellman (S (SID IDH)

(Until recently) two problems remained: Existing realizations were still slow (running in the hundreds of milliseconds) and unprotected

  • against side-channel attacks

SIDH is not secure when keys are reused (Galbraith

  • Petit-Shani-Ti 2016)

Only recommended in

  • ephemeral mode

Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 6

slide-18
SLIDE 18

(A brief) Timeline of isogeny-based crypto, part II

2016 SIDH gets closer to practical use (Costello-Longa-Naehrig 2016).

  • New parameter set (SIDHp751) for the 128-bit quantum security level.
  • Several optimization techniques push performance below 60 milliseconds (in “constant-time”).

But still not fast enough for some applications, and not secure with static keys.

2017 …

Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 7

slide-19
SLIDE 19

Supersingular is isogeny key encapsulation (S (SIK IKE)

Cos Costello lo–De Feo eo–Jao–Longa–Naehrig ig–Renes, s, 2017 2017

  • IND-CCA secure key encapsulation: no problem reusing keys!
  • Uses a variant of Hofheinz–Hövelmanns–Kiltz (HHK) transform: IND-CPA PKE → IND-CCA KEM
  • HHK transform is secure in both the classical and quantum ROM models

Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 8

slide-20
SLIDE 20

Supersingular isogeny key encapsulation (SIKE)

Costello–De Feo–Jao–Longa–Naehrig–Renes, 2017

IND

  • CCA secure key encapsulation: no problem reusing keys!

Uses a variant of

  • Hofheinz–Hövelmanns–Kiltz (HHK) transform: IND-CPA PKE → IND-CCA KEM

HHK transform is secure in

  • both the classical and quantum ROM models

Offline key generation gives performance boost (no perf loss SIDH

  • → SIKE)

Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 8

slide-21
SLIDE 21

Supersingular is isogeny key encapsulation (S (SIK IKE)

Cos Costello lo–De Feo eo–Jao–Longa–Naehrig ig–Renes, s, 2017 2017

IND

  • CCA secure key encapsulation: no problem reusing keys!

Uses a variant of

  • Hofheinz–Hövelmanns–Kiltz (HHK) transform: IND-CPA PKE → IND-CCA KEM

HHK transform is secure in

  • both the classical and quantum ROM models

Offline key generation gives performance boost (no perf loss SIDH

  • → SIKE)

Three

  • parameter sets matching security of AES-128, 192 and 256.

For a starting curve 𝐹0/𝔾𝑞2: 𝑧2= 𝑦3 + 𝑦, where 𝑞 = 2𝑓𝐵3𝑓𝐶 − 1 Scheme (SIKEp + log𝟑𝒒 ) 𝑓𝐵, 𝑓𝐶 classical sec. quantum sec. Security level SIKEp503 (250,159) 126 bits 84 bits AES-128 (NIST level 1) SIKEp751 (372,239) 188 bits 125 bits AES-192 (NIST level 3) SIKEp964 (486,301) 241 bits 161 bits AES-256 (NIST level 5)

Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 8

slide-22
SLIDE 22

KeyGen

  • 1. 𝑡𝐶 ∈𝑆 [0, 2 log23𝑓𝐶 )
  • 2. Set 𝑙𝑓𝑠 𝜚𝐶 = 𝑄𝐶 + [𝑡𝐶]𝑅𝐶
  • 3. pk𝐶 = {𝜚𝐶 𝐹0 , 𝜚𝐶 𝑄

𝐵 , 𝜚𝐶 𝑅𝐵 }

  • 4. 𝑡 ∈𝑆 {0,1}𝑜
  • 5. keypair: sk𝐶 = (𝑡, 𝑡𝐶), pk𝐶

Supersingular is isogeny key encapsulation (S (SIK IKE)

Cos Costello lo–De Feo eo–Jao–Longa–Naehrig ig–Renes, s, 2017 2017

Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 9

slide-23
SLIDE 23

KeyGen

  • 1. 𝑡𝐶 ∈𝑆 [0, 2 log23𝑓𝐶 )
  • 2. Set 𝑙𝑓𝑠 𝜚𝐶 = 𝑄𝐶 + [𝑡𝐶]𝑅𝐶
  • 3. pk𝐶 = {𝜚𝐶 𝐹0 , 𝜚𝐶 𝑄

𝐵 , 𝜚𝐶 𝑅𝐵 }

  • 4. 𝑡 ∈𝑆 {0,1}𝑜
  • 5. keypair: sk𝐶 = (𝑡, 𝑡𝐶), pk𝐶

Supersingular isogeny key encapsulation (SIKE)

Costello–De Feo–Jao–Longa–Naehrig–Renes, 2017

Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 9

pk𝐶

Encaps

  • 1. message 𝑛 ∈𝑆 0,1 𝑜
  • 2. 𝑠 = 𝐻 𝑛, pk𝐶 mod 2𝑓𝐵
  • 3. Set 𝑙𝑓𝑠 𝜚𝐵 = 𝑄

𝐵 + [𝑠]𝑅𝐵

  • 4. pk𝐵 = {𝜚𝐵 𝐹0 , 𝜚𝐵 𝑄𝐶 , 𝜚𝐵 𝑅𝐶 }
  • 5. 𝑘 = 𝑘 𝐹𝐵𝐶 = 𝑘(𝜚𝐵

′ (𝜚𝐶(𝐹0)))

  • 6. Shared key: 𝑡𝑡 = 𝐼(𝑛, 𝑑)
slide-24
SLIDE 24

KeyGen

  • 1. 𝑡𝐶 ∈𝑆 [0, 2 log23𝑓𝐶 )
  • 2. Set 𝑙𝑓𝑠 𝜚𝐶 = 𝑄𝐶 + [𝑡𝐶]𝑅𝐶
  • 3. pk𝐶 = {𝜚𝐶 𝐹0 , 𝜚𝐶 𝑄

𝐵 , 𝜚𝐶 𝑅𝐵 }

  • 4. 𝑡 ∈𝑆 {0,1}𝑜
  • 5. keypair: sk𝐶 = (𝑡, 𝑡𝐶), pk𝐶

Supersingular is isogeny key encapsulation (S (SIK IKE)

Cos Costello lo–De Feo eo–Jao–Longa–Naehrig ig–Renes, s, 2017 2017

Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 9

pk𝐶

Encaps

  • 1. message 𝑛 ∈𝑆 0,1 𝑜
  • 2. 𝑠 = 𝐻 𝑛, pk𝐶 mod 2𝑓𝐵
  • 3. Set 𝑙𝑓𝑠 𝜚𝐵 = 𝑄

𝐵 + [𝑠]𝑅𝐵

  • 4. pk𝐵 = {𝜚𝐵 𝐹0 , 𝜚𝐵 𝑄𝐶 , 𝜚𝐵 𝑅𝐶 }
  • 5. 𝑘 = 𝑘 𝐹𝐵𝐶 = 𝑘(𝜚𝐵

′ (𝜚𝐶(𝐹0)))

  • 6. Shared key: 𝑡𝑡 = 𝐼(𝑛, 𝑑)

encryption

slide-25
SLIDE 25

KeyGen

  • 1. 𝑡𝐶 ∈𝑆 [0, 2 log23𝑓𝐶 )
  • 2. Set 𝑙𝑓𝑠 𝜚𝐶 = 𝑄𝐶 + [𝑡𝐶]𝑅𝐶
  • 3. pk𝐶 = {𝜚𝐶 𝐹0 , 𝜚𝐶 𝑄

𝐵 , 𝜚𝐶 𝑅𝐵 }

  • 4. 𝑡 ∈𝑆 {0,1}𝑜
  • 5. keypair: sk𝐶 = (𝑡, 𝑡𝐶), pk𝐶

Supersingular is isogeny key encapsulation (S (SIK IKE)

Cos Costello lo–De Feo eo–Jao–Longa–Naehrig ig–Renes, s, 2017 2017

Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 9

pk𝐶

Encaps

  • 1. message 𝑛 ∈𝑆 0,1 𝑜
  • 2. 𝑠 = 𝐻 𝑛, pk𝐶 mod 2𝑓𝐵
  • 3. Set 𝑙𝑓𝑠 𝜚𝐵 = 𝑄

𝐵 + [𝑠]𝑅𝐵

  • 4. pk𝐵 = {𝜚𝐵 𝐹0 , 𝜚𝐵 𝑄𝐶 , 𝜚𝐵 𝑅𝐶 }
  • 5. 𝑘 = 𝑘 𝐹𝐵𝐶 = 𝑘(𝜚𝐵

′ (𝜚𝐶(𝐹0)))

  • 6. Shared key: 𝑡𝑡 = 𝐼(𝑛, 𝑑)

encryption 𝑑 = (pk𝐵, 𝐺(𝑘) ⊕ 𝑛)

Decaps

  • 1. 𝑘′ = 𝑘 𝐹𝐶𝐵 = 𝑘(𝜚𝐶

′ (𝜚𝐵(𝐹0)))

  • 2. 𝑛′ = 𝐺(𝑘′) ⊕ 𝑑[2]
  • 3. 𝑠′ = 𝐻 𝑛′, pk𝐶 mod 2𝑓𝐵
  • 4. Set 𝑙𝑓𝑠 𝜚𝐵 = 𝑄

𝐵 + [𝑠′]𝑅𝐵

  • 5. pk𝐵

′ = {𝜚𝐵 𝐹0 , 𝜚𝐵 𝑄𝐶 , 𝜚𝐵 𝑅𝐶 }

  • 6. If pk𝐵

′ = 𝑑[1] then

Shared key: 𝑡𝑡 = 𝐼(𝑛′, 𝑑)

  • 7. Else 𝑡𝑡 = 𝐼(𝑡, 𝑑)
slide-26
SLIDE 26

KeyGen

  • 1. 𝑡𝐶 ∈𝑆 [0, 2 log23𝑓𝐶 )
  • 2. Set 𝑙𝑓𝑠 𝜚𝐶 = 𝑄𝐶 + [𝑡𝐶]𝑅𝐶
  • 3. pk𝐶 = {𝜚𝐶 𝐹0 , 𝜚𝐶 𝑄

𝐵 , 𝜚𝐶 𝑅𝐵 }

  • 4. 𝑡 ∈𝑆 {0,1}𝑜
  • 5. keypair: sk𝐶 = (𝑡, 𝑡𝐶), pk𝐶

Supersingular is isogeny key encapsulation (S (SIK IKE)

Cos Costello lo–De Feo eo–Jao–Longa–Naehrig ig–Renes, s, 2017 2017

Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 9

pk𝐶

Encaps

  • 1. message 𝑛 ∈𝑆 0,1 𝑜
  • 2. 𝑠 = 𝐻 𝑛, pk𝐶 mod 2𝑓𝐵
  • 3. Set 𝑙𝑓𝑠 𝜚𝐵 = 𝑄

𝐵 + [𝑠]𝑅𝐵

  • 4. pk𝐵 = {𝜚𝐵 𝐹0 , 𝜚𝐵 𝑄𝐶 , 𝜚𝐵 𝑅𝐶 }
  • 5. 𝑘 = 𝑘 𝐹𝐵𝐶 = 𝑘(𝜚𝐵

′ (𝜚𝐶(𝐹0)))

  • 6. Shared key: 𝑡𝑡 = 𝐼(𝑛, 𝑑)

encryption 𝑑 = (pk𝐵, 𝐺(𝑘) ⊕ 𝑛)

Decaps

  • 1. 𝑘′ = 𝑘 𝐹𝐶𝐵 = 𝑘(𝜚𝐶

′ (𝜚𝐵(𝐹0)))

  • 2. 𝑛′ = 𝐺(𝑘′) ⊕ 𝑑[2]
  • 3. 𝑠′ = 𝐻 𝑛′, pk𝐶 mod 2𝑓𝐵
  • 4. Set 𝑙𝑓𝑠 𝜚𝐵 = 𝑄

𝐵 + [𝑠′]𝑅𝐵

  • 5. pk𝐵

′ = {𝜚𝐵 𝐹0 , 𝜚𝐵 𝑄𝐶 , 𝜚𝐵 𝑅𝐶 }

  • 6. If pk𝐵

′ = 𝑑[1] then

Shared key: 𝑡𝑡 = 𝐼(𝑛′, 𝑑)

  • 7. Else 𝑡𝑡 = 𝐼(𝑡, 𝑑)

decryption

slide-27
SLIDE 27

KeyGen

  • 1. 𝑡𝐶 ∈𝑆 [0, 2 log23𝑓𝐶 )
  • 2. Set 𝑙𝑓𝑠 𝜚𝐶 = 𝑄𝐶 + [𝑡𝐶]𝑅𝐶
  • 3. pk𝐶 = {𝜚𝐶 𝐹0 , 𝜚𝐶 𝑄

𝐵 , 𝜚𝐶 𝑅𝐵 }

  • 4. 𝑡 ∈𝑆 {0,1}𝑜
  • 5. keypair: sk𝐶 = (𝑡, 𝑡𝐶), pk𝐶

Supersingular is isogeny key encapsulation (S (SIK IKE)

Cos Costello lo–De Feo eo–Jao–Longa–Naehrig ig–Renes, s, 2017 2017

Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 9

pk𝐶

Encaps

  • 1. message 𝑛 ∈𝑆 0,1 𝑜
  • 2. 𝑠 = 𝐻 𝑛, pk𝐶 mod 2𝑓𝐵
  • 3. Set 𝑙𝑓𝑠 𝜚𝐵 = 𝑄

𝐵 + [𝑠]𝑅𝐵

  • 4. pk𝐵 = {𝜚𝐵 𝐹0 , 𝜚𝐵 𝑄𝐶 , 𝜚𝐵 𝑅𝐶 }
  • 5. 𝑘 = 𝑘 𝐹𝐵𝐶 = 𝑘(𝜚𝐵

′ (𝜚𝐶(𝐹0)))

  • 6. Shared key: 𝑡𝑡 = 𝐼(𝑛, 𝑑)

encryption 𝑑 = (pk𝐵, 𝐺(𝑘) ⊕ 𝑛)

Decaps

  • 1. 𝑘′ = 𝑘 𝐹𝐶𝐵 = 𝑘(𝜚𝐶

′ (𝜚𝐵(𝐹0)))

  • 2. 𝑛′ = 𝐺(𝑘′) ⊕ 𝑑[2]
  • 3. 𝑠′ = 𝐻 𝑛′, pk𝐶 mod 2𝑓𝐵
  • 4. Set 𝑙𝑓𝑠 𝜚𝐵 = 𝑄

𝐵 + [𝑠′]𝑅𝐵

  • 5. pk𝐵

′ = {𝜚𝐵 𝐹0 , 𝜚𝐵 𝑄𝐶 , 𝜚𝐵 𝑅𝐶 }

  • 6. If pk𝐵

′ = 𝑑[1] then

Shared key: 𝑡𝑡 = 𝐼(𝑛′, 𝑑)

  • 7. Else 𝑡𝑡 = 𝐼(𝑡, 𝑑)

partial re-encryption 𝐺, 𝐻, 𝐼 instantiated with cSHAKE256. decryption

slide-28
SLIDE 28

Version

  • 3.0 recently released:

https://github.com/Microsoft/PQCrypto-SIDH Implements

  • SIDH and SIKE

Covers

  • two security levels: SIDH/SIKEp503 (AES-128) and SIDH/SIKEp751 (AES-192)

SIDH library

Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 10

slide-29
SLIDE 29
  • Version 3.0 recently released:

https://github.com/Microsoft/PQCrypto-SIDH

  • Implements SIDH and SIKE
  • Covers two security levels: SIDH/SIKEp503 (AES-128) and SIDH/SIKEp751 (AES-192)
  • With the following implementations:
  • A portable C implementation
  • A 64-bit optimized implementation
  • With high-speed x64 assembly code for the field arithmetic (Linux only)
  • With high-speed ARMv8 assembly code for the field arithmetic (SIDH/SIKEp751 only)

SIDH library

Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 10

slide-30
SLIDE 30
  • Version 3.0 recently released:

https://github.com/Microsoft/PQCrypto-SIDH

  • Implements SIDH and SIKE
  • Covers two security levels: SIDH/SIKEp503 (AES-128) and SIDH/SIKEp751 (AES-192)
  • With the following implementations:
  • A portable C implementation
  • A 64-bit optimized implementation
  • With high-speed x64 assembly code for the field arithmetic (Linux only)
  • With high-speed ARMv8 assembly code for the field arithmetic (SIDH/SIKEp751 only)
  • No secret branches, no secret memory accesses

SID IDH li library ry

Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 10

slide-31
SLIDE 31

Version

  • 3.0 recently released:

https://github.com/Microsoft/PQCrypto-SIDH Implements

  • SIDH and SIKE

Covers

  • two security levels: SIDH/SIKEp503 (AES-128) and SIDH/SIKEp751 (AES-192)

With the following implementations:

  • A portable C implementation
  • A
  • 64-bit optimized implementation

With high

  • speed x64 assembly code for the field arithmetic (Linux only)

With high

  • speed ARMv8 assembly code for the field arithmetic (SIDH/SIKEp751 only)

No secret branches, no secret memory accesses:

  • code protected against cache and timing

attacks!

SIDH library

Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 10

slide-32
SLIDE 32

Version

  • 3.0 recently released:

https://github.com/Microsoft/PQCrypto-SIDH Implements

  • SIDH and SIKE

Covers

  • two security levels: SIDH/SIKEp503 (AES-128) and SIDH/SIKEp751 (AES-192)

With the following implementations:

  • A portable C implementation
  • A
  • 64-bit optimized implementation

With high

  • speed x64 assembly code for the field arithmetic (Linux only)

With high

  • speed ARMv8 assembly code for the field arithmetic (SIDH/SIKEp751 only)

No secret branches, no secret memory accesses:

  • code protected against cache and timing

attacks!

SID IDH li library ry

Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 10

slide-33
SLIDE 33
  • Version 3.0 recently released:

https://github.com/Microsoft/PQCrypto-SIDH

  • Implements SIDH and SIKE
  • Covers two security levels: SIDH/SIKEp503 (AES-128) and SIDH/SIKEp751 (AES-192)
  • With the following implementations:
  • A portable C implementation
  • A 64-bit optimized implementation
  • With high-speed x64 assembly code for the field arithmetic (Linux only)
  • With high-speed ARMv8 assembly code for the field arithmetic (SIDH/SIKEp751 only)
  • No secret branches, no secret memory accesses: code protected against cache and timing

attacks!

  • Assembly code is not vulnerable to recent branch target injection attacks (no branches)
  • For the C code: make sure to use a compiler that has been patched!

SIDH library

Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 10

slide-34
SLIDE 34

very small large

Performance on x64

Primitive Quantum sec. Problem Speed Comm. Classical RSA 3072 ~0 bits factoring 4.6 ms 0.8 KB ECDH NIST P-256 ~0 bits EC dlog 1.4 ms 0.1 KB Passively secure key-exchange SIDHp503 84 bits isogenies 10.3 ms 0.7 KB SIDHp751 125 bits isogenies 31.5 ms 1.1 KB IND-CCA secure KEMs Kyber 161 bits M-LWE 0.07 ms 1.2 KB FrodoKEM 103–150 bits LWE 1.2–2.3 ms 9.5–15.4 KB SIKEp503 84 bits isogenies 10.1 ms 0.4 KB SIKEp751 125 bits isogenies 30.5 ms 0.6 KB very fast slow

(*) Obtained on 3.4GHz Intel Haswell (Kyber) or Skylake (FrodoKEM and SIKE). Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 11

slide-35
SLIDE 35

Performance on 64-bit ARM

Implementation by Matthew Campagna (Amazon)

  • Timings obtained on
  • 1.992GHz 64-bit ARM Cortex-A72 processor

Primitive Speed SIKEp503 53.4 ms SIKEp751 171.6 ms

Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 12

slide-36
SLIDE 36

SIK IKE in in the NIS IST post-quantum “competition”

  • Package (protocol specifications and implementations) submitted to NIST:

https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/ documents/round-1/submissions/SIKE.zip

Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 13

slide-37
SLIDE 37

The full SIKE team

Reza Azarderakhsh, Matthew Campagna, Craig Costello, Luca De Feo, Basil Hess, David Jao, Brian Koziel, Brian LaMacchia, Patrick Longa, Michael Naehrig, Joost Renes, Vladimir Soukharev

Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 14

slide-38
SLIDE 38

Other relevant work in 2017

  • Faster compression: Zanon et al. https://eprint.iacr.org/2017/1143
  • Optimized algorithms: Faz-Hernández et al. https://eprint.iacr.org/2017/1015
  • Signatures: Yoo et al. https://eprint.iacr.org/2017/186, and Galbraith et al.

https://eprint.iacr.org/2016/1154

Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 15

slide-39
SLIDE 39

References

J.

  • M. Couveignes. Computing l-isogenies using the p-torsion, in ANTS-II, 1996.

J.

  • M. Couveignes. Hard homogeneous spaces, 1997. https://eprint.iacr.org/2006/291
  • A. Childs, D. Jao, V.
  • Soukharev. Constructing elliptic curve isogenies in quantum

subexponential time, Journal of Math. Cryptology, 2014. http://arxiv.org/abs/1012.4019 (2010)

  • C. Costello, P. Longa, M. Naehrig.
  • Efficient Algorithms for supersingular isogeny Diffie-Hellman,

in Advances in Cryptology–CRYPTO 2016. https://eprint.iacr.org/2016/413

S.D. Galbraith, C. Petit, B. Shani, Y.B.

  • Ti. On the security of supersingular isogeny

cryptosystems, in ASIACRYPT 2016.

  • D. Jao, L. De Feo.
  • Towards quantum-resistant cryptosystems from supersingular elliptic curve

isogenies, in PQCrypto 2011. A.

  • Rostovtsev and A. Stolbunov. Public-key cryptosystem based on isogenies, 2006.

https://eprint.iacr.org/2006/145 A.

  • Stolbunov, Constructing public-key cryptographic schemes based on class group action on a

set of isogenous elliptic curves, in Adv. Math. Commun., 2010.

Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 16

slide-40
SLIDE 40

https://www.microsoft.com/en-us/research/people/plonga/