https://www.microsoft.com/en-us/research/people/plonga/
Quick motivation recap • Quantum computers break public -key cryptography currently in use: cryptosystems based on factoring and (elliptic curve) discrete logarithms • NIST launches the post -quantum cryptography standardization project: https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/ call-for-proposals-final-dec-2016.pdf “The goal of this process is to select a number of acceptable candidate cryptosystems for standardization.” (This includes: digital signatures, encryption and key encapsulation). Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 1
Post-quantum candidates Code-based McEliece Lattice-based NTRU, LWE-based Hash-based Merkle’s hash-tree signatures Multivariate HFE v- signature scheme Isogeny-based SIDH, SIKE Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 2
Post-quantum candidates: : in this talk… Code-based McEliece Lattice-based NTRU, LWE-based Hash-based Merkle’s hash -tree signatures Multivariate HFE v- signature scheme Isogeny-based SIDH, SIKE Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 2
(A brief) Timeline of isogeny-based crypto, part I 1996 Couveignes describes first isogeny-based (key exchange) scheme. 2006 Rostovtsev and Stolbunov, and later Stolbunov (2010), propose key exchange using ordinary isogenies. • These schemes are impractical, and • Can be broken in (quantum) subexponential time (Childs, Jao and Soukharev 2010). 2010 Jao and De Feo propose key exchange using supersingular isogenies (SIDH). • Much better performance. • Best quantum and classical attack complexity is, as of today, exponential. Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 3
Supersingular Is Isogeny Dif iffi fie-Hellman (S (SID IDH) private Alice private Bob public params E ’ s are isogenous curves P ’ s, Q ’ s, R ’ s, S ’ s are points 𝐹 0 Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 4
Supersingular Is Isogeny Dif iffi fie-Hellman (S (SID IDH) private Alice private Bob public params E ’ s are isogenous curves P ’ s, Q ’ s, R ’ s, S ’ s are points 𝐹 0 Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 4
Supersingular Is Isogeny Dif iffi fie-Hellman (S (SID IDH) private Alice private Bob public params 𝐹 𝐵 = 𝐹 0 / 𝐵 E ’ s are isogenous curves P ’ s, Q ’ s, R ’ s, S ’ s are points 𝐹 0 Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 4
Supersingular Is Isogeny Dif iffi fie-Hellman (S (SID IDH) private Alice private Bob public params 𝐹 𝐵 = 𝐹 0 / 𝐵 E ’ s are isogenous curves P ’ s, Q ’ s, R ’ s, S ’ s are points 𝐹 0 𝐹 𝐶 = 𝐹 0 / 𝐶 Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 4
Supersingular Is Isogeny Dif iffi fie-Hellman (S (SID IDH) private Alice private Bob public params 𝐹 𝐵 = 𝐹 0 / 𝐵 E ’ s are isogenous curves P ’ s, Q ’ s, R ’ s, S ’ s are points 𝐹 0 𝐹 𝐶 = 𝐹 0 / 𝐶 Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 4
Supersingular Isogeny Diffie-Hellman (SIDH) private Alice private Bob 𝑆 𝐵 , 𝑇 𝐵 = {𝜚 𝐵 𝑄 𝐶 , 𝜚 𝐵 (𝑅 𝐶 )} public params 𝐹 𝐵 = 𝐹 0 / 𝐵 E ’ s are isogenous curves P ’ s, Q ’ s, R ’ s, S ’ s are points 𝐹 0 𝐹 𝐶 = 𝐹 0 / 𝐶 𝑆 𝐶 , 𝑇 𝐶 = {𝜚 𝐶 𝑄 𝐵 , 𝜚 𝐶 (𝑅 𝐵 )} Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 4
Supersingular Isogeny Diffie-Hellman (SIDH) private Alice private Bob 𝑆 𝐵 , 𝑇 𝐵 = {𝜚 𝐵 𝑄 𝐶 , 𝜚 𝐵 (𝑅 𝐶 )} public params 𝐹 𝐵 = 𝐹 0 / 𝐵 E ’ s are isogenous curves P ’ s, Q ’ s, R ’ s, S ’ s are points 𝐹 0 ′ ) = 𝐵′ = 𝑆 𝐶 + [𝑡 𝐵 ]𝑇 𝐶 𝑙𝑓𝑠(𝜚 𝐵 𝐹 𝐶𝐵 = 𝐹 𝐶 / 𝐵′ ′ 𝐹 𝐶 𝜚 𝐵 = 𝐹 0 / 𝐶 𝑆 𝐶 , 𝑇 𝐶 = {𝜚 𝐶 𝑄 𝐵 , 𝜚 𝐶 (𝑅 𝐵 )} Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 4
Supersingular Is Isogeny Dif iffi fie-Hellman (S (SID IDH) private Alice private Bob 𝑆 𝐵 , 𝑇 𝐵 = {𝜚 𝐵 𝑄 𝐶 , 𝜚 𝐵 (𝑅 𝐶 )} public params ′ 𝐹 𝐵 = 𝐹 0 / 𝐵 𝜚 𝐶 E ’ s are isogenous curves 𝐹 𝐵𝐶 = 𝐹 𝐵 / 𝐶 ′ P ’ s, Q ’ s, R ’ s, S ’ s are points = 𝐶 ′ = 𝑆 𝐵 + [𝑡 𝐶 ]𝑇 𝐵 ′ 𝑙𝑓𝑠 𝜚 𝐶 𝐹 0 ′ ) = 𝐵′ = 𝑆 𝐶 + [𝑡 𝐵 ]𝑇 𝐶 𝑙𝑓𝑠(𝜚 𝐵 𝐹 𝐶𝐵 = 𝐹 𝐶 / 𝐵′ ′ 𝐹 𝐶 𝜚 𝐵 = 𝐹 0 / 𝐶 𝑆 𝐶 , 𝑇 𝐶 = {𝜚 𝐶 𝑄 𝐵 , 𝜚 𝐶 (𝑅 𝐵 )} Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 4
Supersingular Is Isogeny Dif iffi fie-Hellman (S (SID IDH) private Alice private Bob 𝑆 𝐵 , 𝑇 𝐵 = {𝜚 𝐵 𝑄 𝐶 , 𝜚 𝐵 (𝑅 𝐶 )} public params ′ 𝐹 𝐵 = 𝐹 0 / 𝐵 𝜚 𝐶 E ’ s are isogenous curves 𝐹 𝐵𝐶 = 𝐹 𝐵 / 𝐶 ′ P ’ s, Q ’ s, R ’ s, S ’ s are points = 𝐶 ′ = 𝑆 𝐵 + [𝑡 𝐶 ]𝑇 𝐵 ′ 𝑙𝑓𝑠 𝜚 𝐶 𝐹 0 ′ ) = 𝐵′ = 𝑆 𝐶 + [𝑡 𝐵 ]𝑇 𝐶 𝑙𝑓𝑠(𝜚 𝐵 𝐹 𝐶𝐵 = 𝐹 𝐶 / 𝐵′ ′ 𝐹 𝐶 𝜚 𝐵 = 𝐹 0 / 𝐶 𝑆 𝐶 , 𝑇 𝐶 = {𝜚 𝐶 𝑄 𝐵 , 𝜚 𝐶 (𝑅 𝐵 )} ′ (𝜚 𝐵 (𝐹 0 )) ≅ 𝐹 0 / 𝑄 ′ (𝜚 𝐶 𝐹 0 ) 𝐹 𝐵𝐶 = 𝜚 𝐶 𝐵 + [𝑡 𝐵 ]𝑅 𝐵 , 𝑄 𝐶 + [𝑡 𝐶 ]𝑅 𝐶 ≅ 𝐹 𝐶𝐵 = 𝜚 𝐵 Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 4
Supersingular Is Isogeny Dif iffi fie-Hellman (S (SID IDH) private Alice private Bob 𝑆 𝐵 , 𝑇 𝐵 = {𝜚 𝐵 𝑄 𝐶 , 𝜚 𝐵 (𝑅 𝐶 )} public params 𝐹 𝐵 = 𝐹 0 / 𝐵 E ’ s are isogenous curves P ’ s, Q ’ s, R ’ s, S ’ s are points 𝐹 0 𝐹 0 / 𝐵, 𝐶 𝐹 𝐶 = 𝐹 0 / 𝐶 𝑆 𝐶 , 𝑇 𝐶 = {𝜚 𝐶 𝑄 𝐵 , 𝜚 𝐶 (𝑅 𝐵 )} ′ (𝜚 𝐵 (𝐹 0 )) ≅ 𝐹 0 / 𝑄 ′ (𝜚 𝐶 𝐹 0 ) 𝐹 𝐵𝐶 = 𝜚 𝐶 𝐵 + [𝑡 𝐵 ]𝑅 𝐵 , 𝑄 𝐶 + [𝑡 𝐶 ]𝑅 𝐶 ≅ 𝐹 𝐶𝐵 = 𝜚 𝐵 Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 4
SIDH security Setting: supersingular curves 𝐹 1 /𝔾 𝑞 2 and 𝐹 2 /𝔾 𝑞 2 , a large prime 𝑞 , and isogeny 𝜚: 𝐹 1 → 𝐹 2 with fixed, smooth, public degree. Supersingular isogeny problem: given 𝑄, 𝑅 ∈ 𝐹 1 and 𝜚 𝑄 1 , 𝜚 𝑄 2 ∈ 𝐹 2 , compute 𝜚 . • Best known attacks: classical 𝑃(𝑞 1/4 ) and quantum 𝑃(𝑞 1/6 ) via generic claw finding algorithms Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 5
Supersingular Is Isogeny Dif iffi fie-Hellman (S (SID IDH) (Until recently) two problems remained: • Existing realizations were still slow (running in the hundreds of milliseconds) and unprotected against side-channel attacks • SIDH is not secure when keys are reused (Galbraith -Petit-Shani-Ti 2016) • Only recommended in ephemeral mode Real World Crypto 2018 Patrick Longa – Supersingular isogeny crypto gets practical 6
Recommend
More recommend
