Isogeny-based cryptography, a quantum-safe alternative Annamaria - - PowerPoint PPT Presentation

Isogeny-based cryptography, a quantum-safe alternative

Annamaria Iezzi

University of South Florida

FWIMD - February 9, 2019

The key exchange problem

ALICE and BELLE, communicating over a public channel, want to agree on a common secret without making it available to EVE.

2/17

Diffie-Hellman Key Exchange (1976)

G =< g > a finite cyclic group Discrete Logarithm Problem (DLP): Given ga find a.

3/17

Which group?

Original protocol

Diffie-Hellman (1976)

G = ✓ Z pZ ◆× = < g > DLP: Given ga mod p, find 0 < a < p 1.

4/17

Which group?

Elliptic-Curve Diffie-Hellman (ECDH)

Koblitz and Miller (1985) y 2 = x3 2x + 2 P Q P + Q

E: elliptic curve over Fq G = E(Fq), P 2 G DLP Given Q = aP, find 0 < a < ord(P).

5/17

Towards the quantum computing era...

1994 - Peter Shor’s quantum polynomial-time for integer factorization. ? ? y extends to Resolution of the DLP in all finite groups. ? ? y All the currently deployed public key infrastructure will need to be replaced.

IBM’s 50-qubit quantum computer March 2, 2018 Credit: IBM Research Flickr 6/17

How serious is the threat?

August 2015

NSA announced that it is planning to transition “in the not too distant future” to a new cipher suite that is resistant to quantum attacks.

November 2017

NIST Post-Quantum Cryptography Competition: “process to solicit, evaluate, and standardize one or more quantum-resistant public-key cryptographic algorithms”.

7/17

What are the quantum-safe alternatives?

Lattice-based cryptography

25 candidates (Round one) ! 12 candidates (Round two) Code-based cryptography 17 candidates (Round one) ! 7 candidates (Round two) Multivariate cryptography 10 candidates (Round one) ! 4 candidates (Round two) Hash-based cryptography 2 candidates (Round one) ! 1 candidates (Round two) Isogeny-based cryptography 1 candidate (Round one) ! 1 candidates (Round two) Other 5 candidates (Round one) ! 1 candidates (Round two)

8/17

Recall

We look for cryptosystems which are not based on any discrete logarithm problem

9/17

Hard-Homogeneous Spaces (Couveignes, 97)

G a group, X a set, an action G ⇥ X ! X (g, x) 7! g ⇤ x such that 8 x, x0 2 X, 9! g 2 G such that g ⇤ x = x0. “Easy” operation (e.g. polynomial time): given g 2 G and x 2 X, compute g ⇤ x. “Hard” operation (e.g. not polynomial time): given x, x0 2 X, find g 2 G such that g ⇤ x = x0.

If G is Abelian ! commutative group action ! ! key exchange based on HHS.

10/17

Key exchange based on HHS

public parameter: x0 2 X Problem: Given a ⇤ x0 find a.

11/17

Elliptic curves and isogenies

E, an elliptic curve defined over Fq: E : y 2 = ax3 + bx + c, a, b 2 Fq, 4a3 + 27b2 6= 0 ϕ, an isogeny (non-constant rational map and group homomorphism): ϕ : E

• !

E 0 (x, y) 7! ⇣

f1(x,y) g1(x,y), f2(x,y) g2(x,y)

⌘ O := End(E), the ring of endomorphisms of E.

12/17

A commutative group action

O an order in an imaginary quadratic field Set X: isomorphism classes E of elliptic curves having the same endomorphism ring O. Group G: ideal class group of O G = Cl(O) = I(O) P(O) = {[a] : a is an ideal of O} , G is a finite abelian group. G acts on X: [a] ⇤ E 1 = E 2 ϕa : E1 ! E2 with deg(ϕa) = N(a)

13/17

Random walks on the isogeny graph

14/18

Examples

Couveignes - 1997 Rostovtsev and Stolbounov - 2006 and 2010 De Feo, Kieffer, Smith - 2018 CSIDH - 2018

15/18

The underlying mathematical problem

The security of these cryptosystems relies on the following “hard” mathematical problem: Let E1 and E2 two elliptic curves defined over a finite field such that there exists a imaginary quadratic order O which satisfies: O ∼ = End(Ei), i = 1, 2. Problem: Find an isogeny [a] ∈ Cl(O) such that φ : E1 → E2 [a] ∗ E 1 = E 2.

16/18

How to tackle the problem?

Problem: Given E 1 and E 2, find [a] ∈ Cl(O) such that [a] ∗ E 1 = E 2.

Limit the number of tries in Cl(O): → Hidden Shift Problem Compute efficiently [a] ∗ E 1: → Factor [a] in a “short” product

Biasse, I., Jacobson (2018):

N := | Cl(O)| Time: 2

O ⇣√ log(N) ⌘

Quantum memory: 2

O ⇣√ log(N) ⌘

17/18