Improved Digital Signatures Based on Elliptic Curve Endomorphism - - PowerPoint PPT Presentation

Improved Digital Signatures Based on Elliptic Curve Endomorphism Rings

Xiu Xu 3,4,5 Christopher Leonardi 1 Anzo Teh1 David Jao 1,2 Kunpeng Wang 3,4,5 Wei Yu 3,4,5 Reza Azarderakhsh 6

[1] Department of Combinatorics and Optimization, University of Waterloo [2] evolutionQ, Inc., Waterloo, Ontario, Canada [3] State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China [4] Data Assurance and Communications Security Research Center, Beijing, China [5] School of Cyber Security, University of Chinese Academy of Sciences [6] Department of Computer and Electrical Engineering and Computer Science, Florida Atlantic University

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 1 / 20

1

Introduction

2

Digital Signature Scheme Elliptic Curve Background GPS Signatures

3

Our Improvements #1: Isogeny-to-Ideal #2: Ideal-to-Isogeny #3: Parallel Instances Performance

4

Conclusion

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 2 / 20

Introduction

Topic of discussion: Galbraith-Petit-Silva digital signature scheme (AsiaCrypt 2017).

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 3 / 20

Introduction

Topic of discussion: Galbraith-Petit-Silva digital signature scheme (AsiaCrypt 2017). Implementations are not widely available because: – one subroutine is mathematically complicated, and – signing would be too inefficient to be practical.

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 3 / 20

Introduction

Topic of discussion: Galbraith-Petit-Silva digital signature scheme (AsiaCrypt 2017). Implementations are not widely available because: – one subroutine is mathematically complicated, and – signing would be too inefficient to be practical. Our work presents three major ways to improve efficiency, and implements the scheme in SAGE.

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 3 / 20

Digital Signature Scheme Elliptic Curve Background

Elliptic curve E : y2 = x3 + ax + b over a finite field Fpn is a finite Abelian group (operation is “+”, identity is ∞).

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 4 / 20

Digital Signature Scheme Elliptic Curve Background

Elliptic curve E : y2 = x3 + ax + b over a finite field Fpn is a finite Abelian group (operation is “+”, identity is ∞). The m-torsion subgroup E[m] = {P ∈ E(Fp) : [m]P = ∞}.

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 4 / 20

Digital Signature Scheme Elliptic Curve Background

Elliptic curve E : y2 = x3 + ax + b over a finite field Fpn is a finite Abelian group (operation is “+”, identity is ∞). The m-torsion subgroup E[m] = {P ∈ E(Fp) : [m]P = ∞}. If ∀r ∈ N, E[pr] = {∞}, then E is called supersingular. Otherwise ∀r ∈ N, E[pr] ∼ = Z/prZ and is called ordinary.

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 4 / 20

Digital Signature Scheme Elliptic Curve Background

Elliptic curve E : y2 = x3 + ax + b over a finite field Fpn is a finite Abelian group (operation is “+”, identity is ∞). The m-torsion subgroup E[m] = {P ∈ E(Fp) : [m]P = ∞}. If ∀r ∈ N, E[pr] = {∞}, then E is called supersingular. Otherwise ∀r ∈ N, E[pr] ∼ = Z/prZ and is called ordinary. The j-invariant is a unique element of Fpn associated to each Fpn-isomorphism family of elliptic curves. j(E) = 1728 4a3 4a3 + 27b2 ∈ Fpn

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 4 / 20

Digital Signature Scheme Elliptic Curve Background

Elliptic curve E : y2 = x3 + ax + b over a finite field Fpn is a finite Abelian group (operation is “+”, identity is ∞). The m-torsion subgroup E[m] = {P ∈ E(Fp) : [m]P = ∞}. If ∀r ∈ N, E[pr] = {∞}, then E is called supersingular. Otherwise ∀r ∈ N, E[pr] ∼ = Z/prZ and is called ordinary. The j-invariant is a unique element of Fpn associated to each Fpn-isomorphism family of elliptic curves. j(E) = 1728 4a3 4a3 + 27b2 ∈ Fpn Supersingular elliptic curves are always defined over Fp2.

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 4 / 20

Digital Signature Scheme Elliptic Curve Background

Isogenies are rational morphisms between elliptic curves, and have associated degrees.

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 5 / 20

Digital Signature Scheme Elliptic Curve Background

Isogenies are rational morphisms between elliptic curves, and have associated degrees. e.g. E(F23) : y2 = x3 + x, E ′(F23) : y2 = x3 + 13 φ : E(F23) → E ′(F23), deg(φ) = 3 φ(x, y) = x3 + 10x2 + 16x + 10 x2 + 10x + 2 , (x3 + 15x2 + 15x + 14)y x3 + 15x2 + 6x + 10

• Xu Leonardi Teh Jao Wang Yu Azarderakhsh

PQ Digital Signature Improvements November 28 2019 5 / 20

Digital Signature Scheme Elliptic Curve Background

Isogenies are rational morphisms between elliptic curves, and have associated degrees. e.g. E(F23) : y2 = x3 + x, E ′(F23) : y2 = x3 + 13 φ : E(F23) → E ′(F23), deg(φ) = 3 φ(x, y) = x3 + 10x2 + 16x + 10 x2 + 10x + 2 , (x3 + 15x2 + 15x + 14)y x3 + 15x2 + 6x + 10

• Isogenies can be composed: if φ : E1 → E2 has degree d1, and

ψ : E2 → E3 has degree d2, then ψ ◦ φ : E1 → E3 has degree d1d2.

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 5 / 20

Digital Signature Scheme Elliptic Curve Background

Isogenies are rational morphisms between elliptic curves, and have associated degrees. e.g. E(F23) : y2 = x3 + x, E ′(F23) : y2 = x3 + 13 φ : E(F23) → E ′(F23), deg(φ) = 3 φ(x, y) = x3 + 10x2 + 16x + 10 x2 + 10x + 2 , (x3 + 15x2 + 15x + 14)y x3 + 15x2 + 6x + 10

• Isogenies can be composed: if φ : E1 → E2 has degree d1, and

ψ : E2 → E3 has degree d2, then ψ ◦ φ : E1 → E3 has degree d1d2. The endomorphism ring of an elliptic curve, End(E), is the (non-commutative) ring of all isogenies from E to itself.

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 5 / 20

Digital Signature Scheme Elliptic Curve Background

Isogenies are rational morphisms between elliptic curves, and have associated degrees. e.g. E(F23) : y2 = x3 + x, E ′(F23) : y2 = x3 + 13 φ : E(F23) → E ′(F23), deg(φ) = 3 φ(x, y) = x3 + 10x2 + 16x + 10 x2 + 10x + 2 , (x3 + 15x2 + 15x + 14)y x3 + 15x2 + 6x + 10

• Isogenies can be composed: if φ : E1 → E2 has degree d1, and

ψ : E2 → E3 has degree d2, then ψ ◦ φ : E1 → E3 has degree d1d2. The endomorphism ring of an elliptic curve, End(E), is the (non-commutative) ring of all isogenies from E to itself. Right ideals of End(E) are associated to isogenies with domain E.

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 5 / 20

Digital Signature Scheme Elliptic Curve Background

Isogenies are rational morphisms between elliptic curves, and have associated degrees. e.g. E(F23) : y2 = x3 + x, E ′(F23) : y2 = x3 + 13 φ : E(F23) → E ′(F23), deg(φ) = 3 φ(x, y) = x3 + 10x2 + 16x + 10 x2 + 10x + 2 , (x3 + 15x2 + 15x + 14)y x3 + 15x2 + 6x + 10

• Isogenies can be composed: if φ : E1 → E2 has degree d1, and

ψ : E2 → E3 has degree d2, then ψ ◦ φ : E1 → E3 has degree d1d2. The endomorphism ring of an elliptic curve, End(E), is the (non-commutative) ring of all isogenies from E to itself. Right ideals of End(E) are associated to isogenies with domain E. Knowledge of an elliptic curve’s endomorphism ring can be used as Trapdoor Information.

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 5 / 20

Digital Signature Scheme Elliptic Curve Background

Hard and Easy Problems with Isogenies Consider a supersingular E(Fp2), and a hash function H which outputs isogenies with domain E. End(E) known End(E) unknown Preimage resistant

• 2nd Preimage resistant

X

• Collision resistant

X

• Xu Leonardi Teh Jao Wang Yu Azarderakhsh

PQ Digital Signature Improvements November 28 2019 6 / 20

Digital Signature Scheme Elliptic Curve Background

Easy Problems Hard Problems Let E(Fp2) be a supersingular elliptic curve. Given E, compute an arbitrary isogeny with domain E and smooth degree (e.g. 2m).

1Kohel, Lauter, Petit, Tignol “On the quaternion ℓ-isogeny path problem”, 2014. Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 7 / 20

Digital Signature Scheme Elliptic Curve Background

Easy Problems Hard Problems Let E(Fp2) be a supersingular elliptic curve. Given E, compute an arbitrary isogeny with domain E and smooth degree (e.g. 2m). Given E and E ′(Fp2), find an isogeny from E to E ′.

1Kohel, Lauter, Petit, Tignol “On the quaternion ℓ-isogeny path problem”, 2014. Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 7 / 20

Digital Signature Scheme Elliptic Curve Background

Easy Problems Hard Problems Let E(Fp2) be a supersingular elliptic curve. Given E, compute an arbitrary isogeny with domain E and smooth degree (e.g. 2m). Given E and E ′(Fp2), find an isogeny from E to E ′. Given E, E ′(Fp2), End(E), and End(E ′), and d ∈ N, find an isogeny from E to E ′ of degree d. 1

1Kohel, Lauter, Petit, Tignol “On the quaternion ℓ-isogeny path problem”, 2014. Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 7 / 20

Digital Signature Scheme Elliptic Curve Background

Easy Problems Hard Problems Let E(Fp2) be a supersingular elliptic curve. Given E, compute an arbitrary isogeny with domain E and smooth degree (e.g. 2m). Given E and E ′(Fp2), find an isogeny from E to E ′. Given E, E ′(Fp2), End(E), and End(E ′), and d ∈ N, find an isogeny from E to E ′ of degree d. 1 Given E, E ′(Fp2), and End(E), find an isogeny from E to E ′.

1Kohel, Lauter, Petit, Tignol “On the quaternion ℓ-isogeny path problem”, 2014. Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 7 / 20

Digital Signature Scheme Elliptic Curve Background

Easy Problems Hard Problems Let E(Fp2) be a supersingular elliptic curve. Given E, compute an arbitrary isogeny with domain E and smooth degree (e.g. 2m). Given E and E ′(Fp2), find an isogeny from E to E ′. Given E, E ′(Fp2), End(E), and End(E ′), and d ∈ N, find an isogeny from E to E ′ of degree d. 1 Given E, E ′(Fp2), and End(E), find an isogeny from E to E ′. Given E, End(E), and φ : E → E ′, find End(E ′).

1Kohel, Lauter, Petit, Tignol “On the quaternion ℓ-isogeny path problem”, 2014. Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 7 / 20

Digital Signature Scheme Elliptic Curve Background

Easy Problems Hard Problems Let E(Fp2) be a supersingular elliptic curve. Given E, compute an arbitrary isogeny with domain E and smooth degree (e.g. 2m). Given E and E ′(Fp2), find an isogeny from E to E ′. Given E, E ′(Fp2), End(E), and End(E ′), and d ∈ N, find an isogeny from E to E ′ of degree d. 1 Given E, E ′(Fp2), and End(E), find an isogeny from E to E ′. Given E, End(E), and φ : E → E ′, find End(E ′). The GPS signature scheme uses these discrepancies to make an Identification Protocol.

1Kohel, Lauter, Petit, Tignol “On the quaternion ℓ-isogeny path problem”, 2014. Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 7 / 20

Digital Signature Scheme GPS Signatures

Setup: Elliptic curve E(F2

p), End(E), and L ∈ N.

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 8 / 20

Digital Signature Scheme GPS Signatures

Setup: Elliptic curve E(F2

p), End(E), and L ∈ N.

Private key: Isogeny φ : E → EPK with L-smooth degree (all prime powers dividing deg φ are less than L). Public Key: EPK.

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 8 / 20

Digital Signature Scheme GPS Signatures

Setup: Elliptic curve E(F2

p), End(E), and L ∈ N.

Private key: Isogeny φ : E → EPK with L-smooth degree (all prime powers dividing deg φ are less than L). Public Key: EPK.

E EP K

φ

✲

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 8 / 20

Digital Signature Scheme GPS Signatures

Setup: Elliptic curve E(F2

p), End(E), and L ∈ N.

Private key: Isogeny φ : E → EPK with L-smooth degree (all prime powers dividing deg φ are less than L). Public Key: EPK.

E EP K

φ

✲

Prover computes an isogeny ψ : EPK → EC with L-smooth degree. Commitment: EC.

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 8 / 20

Digital Signature Scheme GPS Signatures

Setup: Elliptic curve E(F2

p), End(E), and L ∈ N.

Private key: Isogeny φ : E → EPK with L-smooth degree (all prime powers dividing deg φ are less than L). Public Key: EPK.

E EP K

φ

✲

Prover computes an isogeny ψ : EPK → EC with L-smooth degree. Commitment: EC.

E EP K EC

φ ψ

✲

• ✠

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 8 / 20

Digital Signature Scheme GPS Signatures

Challenge is b = 0 or b = 1. When b = 0, the Prover reveals φ.

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 9 / 20

Digital Signature Scheme GPS Signatures

Challenge is b = 0 or b = 1. When b = 0, the Prover reveals φ.

E EP K EC

φ

✲

• ✠

ψ, b = 0

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 9 / 20

Digital Signature Scheme GPS Signatures

Challenge is b = 0 or b = 1. When b = 0, the Prover reveals φ.

E EP K EC

φ

✲

• ✠

ψ, b = 0

When b = 1, the Prover reveals some isogeny η from E to EC with L-smooth degree.

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 9 / 20

Digital Signature Scheme GPS Signatures

Challenge is b = 0 or b = 1. When b = 0, the Prover reveals φ.

E EP K EC

φ

✲

• ✠

ψ, b = 0

When b = 1, the Prover reveals some isogeny η from E to EC with L-smooth degree.

E EP K EC Warning: η = ψ ◦ φ

φ

✲

• ✠

b = 0 : ψ b = 1 : η ❅ ❅ ❅ ❅ ❅ ❅ ❘

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 9 / 20

Digital Signature Scheme GPS Signatures

When b = 1, η is computed as follows: (i) Compute End(EC) by pushing End(E) through ψ ◦ φ.

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 10 / 20

Digital Signature Scheme GPS Signatures

When b = 1, η is computed as follows: (i) Compute End(EC) by pushing End(E) through ψ ◦ φ. (ii) (Isogeny-to-ideal) Use ψ ◦ φ to compute a right ideal I of End(E) which is a left ideal of End(EC).

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 10 / 20

Digital Signature Scheme GPS Signatures

When b = 1, η is computed as follows: (i) Compute End(EC) by pushing End(E) through ψ ◦ φ. (ii) (Isogeny-to-ideal) Use ψ ◦ φ to compute a right ideal I of End(E) which is a left ideal of End(EC). (iii) Renormalize I to another ideal J so that it corresponds to an isogeny with L-smooth degree.

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 10 / 20

Digital Signature Scheme GPS Signatures

When b = 1, η is computed as follows: (i) Compute End(EC) by pushing End(E) through ψ ◦ φ. (ii) (Isogeny-to-ideal) Use ψ ◦ φ to compute a right ideal I of End(E) which is a left ideal of End(EC). (iii) Renormalize I to another ideal J so that it corresponds to an isogeny with L-smooth degree. (iv) (Ideal-to-isogeny) Translate J to an isogeny η.

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 10 / 20

Digital Signature Scheme GPS Signatures

When b = 1, η is computed as follows: (i) Compute End(EC) by pushing End(E) through ψ ◦ φ. (ii) (Isogeny-to-ideal) Use ψ ◦ φ to compute a right ideal I of End(E) which is a left ideal of End(EC). (iii) Renormalize I to another ideal J so that it corresponds to an isogeny with L-smooth degree. (iv) (Ideal-to-isogeny) Translate J to an isogeny η. The output isogeny η will have domain E, codomain EC, and L-smooth degree.

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 10 / 20

Our Improvements #1: Isogeny-to-Ideal

The goal: given ψ ◦ φ, improve the computation of the ideal I

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 11 / 20

Our Improvements #1: Isogeny-to-Ideal

The goal: given ψ ◦ φ, improve the computation of the ideal I This step includes a “half point” computation, which is: given P ∈ E(Fpn), find some P′ such that [2]P′ = P.

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 11 / 20

Our Improvements #1: Isogeny-to-Ideal

The goal: given ψ ◦ φ, improve the computation of the ideal I This step includes a “half point” computation, which is: given P ∈ E(Fpn), find some P′ such that [2]P′ = P. The original method involved solving a large degree polynomial.

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 11 / 20

Our Improvements #1: Isogeny-to-Ideal

The goal: given ψ ◦ φ, improve the computation of the ideal I This step includes a “half point” computation, which is: given P ∈ E(Fpn), find some P′ such that [2]P′ = P. The original method involved solving a large degree polynomial. We observe that since the order of P is known at this step, some odd N ∈ Z, we can compute P′ as N+1

2

• P.

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 11 / 20

Our Improvements #1: Isogeny-to-Ideal

The goal: given ψ ◦ φ, improve the computation of the ideal I This step includes a “half point” computation, which is: given P ∈ E(Fpn), find some P′ such that [2]P′ = P. The original method involved solving a large degree polynomial. We observe that since the order of P is known at this step, some odd N ∈ Z, we can compute P′ as N+1

2

• P.

This decrease in cost from this modification is only marginal, but this computation is used widely throughout the signing algorithm.

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 11 / 20

Our Improvements #1: Isogeny-to-Ideal

When b = 1, the output isogeny η will be a composition of isogenies, each with prime power degrees less than L. η = ηk ◦ · · · ◦ η1. ηi : Ei−1 → Ei, where E0 = E and Ek = EC.

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 12 / 20

Our Improvements #1: Isogeny-to-Ideal

When b = 1, the output isogeny η will be a composition of isogenies, each with prime power degrees less than L. η = ηk ◦ · · · ◦ η1. ηi : Ei−1 → Ei, where E0 = E and Ek = EC. Suppose the degree of ηi is the prime power ℓe.

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 12 / 20

Our Improvements #1: Isogeny-to-Ideal

When b = 1, the output isogeny η will be a composition of isogenies, each with prime power degrees less than L. η = ηk ◦ · · · ◦ η1. ηi : Ei−1 → Ei, where E0 = E and Ek = EC. Suppose the degree of ηi is the prime power ℓe. When constructing the ideal I, it can be done for each ℓe individually and then combined.

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 12 / 20

Our Improvements #1: Isogeny-to-Ideal

When b = 1, the output isogeny η will be a composition of isogenies, each with prime power degrees less than L. η = ηk ◦ · · · ◦ η1. ηi : Ei−1 → Ei, where E0 = E and Ek = EC. Suppose the degree of ηi is the prime power ℓe. When constructing the ideal I, it can be done for each ℓe individually and then combined. We improve the runtime of step (ii) (isogeny-to-ideal) from poly(ℓe) to poly(ℓ, e).

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 12 / 20

Our Improvements #1: Isogeny-to-Ideal

Let Q = ker ηi ⊂ E(Fpn). To find the ideal I, we need a solution α ∈End(E) to α(Q) = 0, and deg α ≡ 0 mod ℓe.

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 13 / 20

Our Improvements #1: Isogeny-to-Ideal

Let Q = ker ηi ⊂ E(Fpn). To find the ideal I, we need a solution α ∈End(E) to α(Q) = 0, and deg α ≡ 0 mod ℓe. Once α is found, the ideal I can be updated to Iℓe+End(E)α.

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 13 / 20

Our Improvements #1: Isogeny-to-Ideal

Let Q = ker ηi ⊂ E(Fpn). To find the ideal I, we need a solution α ∈End(E) to α(Q) = 0, and deg α ≡ 0 mod ℓe. Once α is found, the ideal I can be updated to Iℓe+End(E)α. The original GPS work determines α by searching randomly.

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 13 / 20

Our Improvements #1: Isogeny-to-Ideal

Let Q = ker ηi ⊂ E(Fpn). To find the ideal I, we need a solution α ∈End(E) to α(Q) = 0, and deg α ≡ 0 mod ℓe. Once α is found, the ideal I can be updated to Iℓe+End(E)α. The original GPS work determines α by searching randomly. We instead propose finding random solutions to αj(Q) = 0 and deg αj ≡ 0 mod ℓj iteratively for j = 1, . . . , e.

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 13 / 20

Our Improvements #2: Ideal-to-Isogeny

Reminder: When b = 1, the output isogeny η will be a composition of isogenies, each with degrees less than L. η = ηk ◦ · · · ◦ η1.

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 14 / 20

Our Improvements #2: Ideal-to-Isogeny

Reminder: When b = 1, the output isogeny η will be a composition of isogenies, each with degrees less than L. η = ηk ◦ · · · ◦ η1. Our main improvement is for constructing/evaluating the isogenies ηi efficiently.

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 14 / 20

Our Improvements #2: Ideal-to-Isogeny

Reminder: When b = 1, the output isogeny η will be a composition of isogenies, each with degrees less than L. η = ηk ◦ · · · ◦ η1. Our main improvement is for constructing/evaluating the isogenies ηi efficiently. For each ηi, we must construct an extension field Fpn such that Ei−1[deg ηi] ⊂ Ei−1(Fpn).

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 14 / 20

Our Improvements #2: Ideal-to-Isogeny

Reminder: When b = 1, the output isogeny η will be a composition of isogenies, each with degrees less than L. η = ηk ◦ · · · ◦ η1. Our main improvement is for constructing/evaluating the isogenies ηi efficiently. For each ηi, we must construct an extension field Fpn such that Ei−1[deg ηi] ⊂ Ei−1(Fpn). The original work explains how to construct each extension efficiently, but not how to maneuver between the extensions as i varies.

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 14 / 20

Our Improvements #2: Ideal-to-Isogeny

Reminder: When b = 1, the output isogeny η will be a composition of isogenies, each with degrees less than L. η = ηk ◦ · · · ◦ η1. Our main improvement is for constructing/evaluating the isogenies ηi efficiently. For each ηi, we must construct an extension field Fpn such that Ei−1[deg ηi] ⊂ Ei−1(Fpn). The original work explains how to construct each extension efficiently, but not how to maneuver between the extensions as i varies. In the worst case, this would result in an extension of degree LCM{deg ηi}k

i=1 ≤ Lk.

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 14 / 20

Our Improvements #2: Ideal-to-Isogeny

Recall that supersingular elliptic curves are always defined over Fp2.

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 15 / 20

Our Improvements #2: Ideal-to-Isogeny

Recall that supersingular elliptic curves are always defined over Fp2. Our proposal: after each ηi : Ei−1(Fpn) → Ei(Fpn) is computed, take an isomorphism to reduce the extension field: Φi : Ei(Fpn) → Ei(Fp2).

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 15 / 20

Our Improvements #2: Ideal-to-Isogeny

Recall that supersingular elliptic curves are always defined over Fp2. Our proposal: after each ηi : Ei−1(Fpn) → Ei(Fpn) is computed, take an isomorphism to reduce the extension field: Φi : Ei(Fpn) → Ei(Fp2). We provide formulas for the isomorphisms in terms of the j-invariant

• f Ei.

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 15 / 20

Our Improvements #2: Ideal-to-Isogeny

Recall that supersingular elliptic curves are always defined over Fp2. Our proposal: after each ηi : Ei−1(Fpn) → Ei(Fpn) is computed, take an isomorphism to reduce the extension field: Φi : Ei(Fpn) → Ei(Fp2). We provide formulas for the isomorphisms in terms of the j-invariant

• f Ei.

This process bounds the necessary extension degree by max{deg ηi}k

i=1 ≤ L.

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 15 / 20

Our Improvements #3: Parallel Instances

Our third major contribution is a proof of security for multiple parallel instances of the GSP signature scheme.

2Stachowiak “Proofs of Knowledge with Several Challenge Values”, 2008. Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 16 / 20

Our Improvements #3: Parallel Instances

Our third major contribution is a proof of security for multiple parallel instances of the GSP signature scheme. The idea of using multiple challenge bits is not novel2, but the application is.

2Stachowiak “Proofs of Knowledge with Several Challenge Values”, 2008. Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 16 / 20

Our Improvements #3: Parallel Instances

Our third major contribution is a proof of security for multiple parallel instances of the GSP signature scheme. The idea of using multiple challenge bits is not novel2, but the application is.

E E0 E1 . . . Es−1

φ0 φ1 φs−1

❅ ❅ ❅ ❅ ❅ ■ ❈ ❈ ❈ ❈ ❈ ❖ . . .

• ✒

EC

w

❄

2Stachowiak “Proofs of Knowledge with Several Challenge Values”, 2008. Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 16 / 20

Our Improvements #3: Parallel Instances

Given a challenge bit i ∈ {0, 1, . . . , s − 1} the signer constructs an isogeny from Ei to EC.

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 17 / 20

Our Improvements #3: Parallel Instances

Given a challenge bit i ∈ {0, 1, . . . , s − 1} the signer constructs an isogeny from Ei to EC. Allowing for a greater number of challenge bits decreases the number

• f rounds by a logarithmic factor.

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 17 / 20

Our Improvements #3: Parallel Instances

Given a challenge bit i ∈ {0, 1, . . . , s − 1} the signer constructs an isogeny from Ei to EC. Allowing for a greater number of challenge bits decreases the number

• f rounds by a logarithmic factor.

We provide a proof of Completeness, Soundness, and Zero-Knowledge.

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 17 / 20

Our Improvements #3: Parallel Instances

Given a challenge bit i ∈ {0, 1, . . . , s − 1} the signer constructs an isogeny from Ei to EC. Allowing for a greater number of challenge bits decreases the number

• f rounds by a logarithmic factor.

We provide a proof of Completeness, Soundness, and Zero-Knowledge. Output of the algorithm for step (iii) (ideal renormalization) in the

• riginal work has a particular form. This makes our ZK proof highly

non-trivial, which is why this modification has not achieved before.

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 17 / 20

Our Improvements Performance

n log2 p Isogenies (ii) (iii) (iv) [3,10] 8.7 0.100 0.073 0.064 0.109 [3,20] 24.2 0.217 0.215 0.366 0.190 [3,43], [97] 61.1 1.000 1.356 0.883 0.492 [3,113] 155.4 6.356 9.442 6.989 2.297 [3,373], [587] 510.7 174.917 126.520 173.020 45.270

Table: Time (sec) per step

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 18 / 20

Conclusion

Major improvements to all three steps of the GPS signature scheme.

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 19 / 20

Conclusion

Major improvements to all three steps of the GPS signature scheme. This scheme may be feasible in the future.

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 19 / 20

Conclusion

Major improvements to all three steps of the GPS signature scheme. This scheme may be feasible in the future. The runtime is still too inefficient, the bottleneck is computing the extension fields.

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 19 / 20

Conclusion

Major improvements to all three steps of the GPS signature scheme. This scheme may be feasible in the future. The runtime is still too inefficient, the bottleneck is computing the extension fields. Our code for the KLPT subroutine is fast.

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 19 / 20

Conclusion

Bibliography: [1] D. Kohel, K. Lauter, C. Petit, J.-P. Tignol. “On the quaternion ℓ-isogeny path problem.” LMS Journal of Computation and Mathematics, 17.A (2014): 418-432 [2] G. Stachowiak. “Proofs of Knowledge with Several Challenge Values.” IACR Cryptology ePrint Archive (2008): 181. [3] S. Galbraith, C. Petit, J. Silva. “Identification protocols and signature schemes based on supersingular isogeny problems.” International Conference on the Theory and Application of Cryptology and Information Security. Springer, Cham, 2017.

Xu Leonardi Teh Jao Wang Yu Azarderakhsh PQ Digital Signature Improvements November 28 2019 20 / 20