isogeny-based cryptography Craig Costello Summer School on - - PowerPoint PPT Presentation

Craig Costello

An introduction to supersingular isogeny-based cryptography

Summer School on Real-World Crypto and Privacy June 8, 2017

Šibenik, Croatia

https://www.microsoft.com/en-us/research/project/sidh-library/ SIDH library v2.0 Full version of Crypto’16 paper (joint with P . Longa and M. Naehrig) http://eprint.iacr.org/2016/413 Full version of Eurocrypt’17 paper (joint with D. Jao, P . Longa, M. Naehrig, D. Urbanik, J. Renes) http://eprint.iacr.org/2016/963 Preprint of recent work on flexible SIDH (joint with H. Hisil) http://eprint.iacr.org/2017/504

T

• wards quantum-resistant cryptosystems from

supersingular elliptic curve isogenies

LUCA CA DE DE FE FEO, DAVID D JAO, JÉRÔME ME PLÛT http:/ p://ep /eprin rint.i t.iacr acr.or .org/2 /201 011/5 1/506 06

• W. Castryck (GIF): ”Elliptic curves are dead: long live elliptic curves” https://www.esat.kuleuven.be/cosic/?p=7404

Part 1: Motivation Part 2: Preliminaries Part 3: SIDH

• Quantum computers break elliptic curves, finite

fields, factoring, everything currently used for PKC

• Aug 2015: NSA announces plans to transition to

quantum-resistant algorithms

• Feb 2016: NIST calls for quantum-secure
• submissions. Deadline Nov 30, 2017

Quantum computers ↔ Cryptopocalypse

Post-quantum key exchange

Th This is talk: lk: su supe persin singular gular is isoge genie nies

Which hard problem(s) to use now???

Diffie-Hellman(ish) instantiations

DH DH ECDH R-LWE WE

[BCNS’15, newhope, NTRU]

LWE

[Frodo]

SIDH

[DJP14, CLN16]

elements ts integers 𝑕 modulo prime points 𝑄 in curve group elements 𝑏 in ring 𝑆 = ℤ𝑟 𝑦 /〈Φ𝑜 𝑦 〉 matrices 𝐵 in ℤ𝑟

𝑜×𝑜

curves 𝐹 in isogeny class secrets ets exponents 𝑦 scalars 𝑙 small errors 𝑡, 𝑓 ∈ 𝑆 small 𝑡, 𝑓 ∈ ℤ𝑟

𝑜

isogenies 𝜚 compu putations tations 𝑕, 𝑦 ↦ 𝑕𝑦 𝑙, 𝑄 ↦ 𝑙 𝑄 𝑏, 𝑡, 𝑓 ↦ 𝑏𝑡 + 𝑓 𝐵, 𝑡, 𝑓 ↦ 𝐵𝑡 + 𝑓 𝜚, 𝐹 ↦ 𝜚(𝐹) hard d prob

• blem

em given 𝑕, 𝑕𝑦 find 𝑦 given 𝑄, 𝑙 𝑄 find 𝑙 given 𝑏, 𝑏𝑡 + 𝑓 find 𝑡 given 𝐵, 𝐵𝑡 + 𝑓 find 𝑡 given 𝐹, 𝜚(𝐹) find 𝜚

Part 1: Motivation Part 2: Preliminaries Part 3: SIDH

T

• construct degree 𝑜 extension field 𝔾𝑟𝑜 of a finite field 𝔾𝑟, take 𝔾𝑟𝑜 = 𝔾𝑟(𝛽)

where 𝑔 𝛽 = 0 and 𝑔(𝑦) is irreducible of degree 𝑜 in 𝔾𝑟[𝑦].

Extension fields

Example: for any prime 𝑞 ≡ 3 mod 4, can take 𝔾𝑞2 = 𝔾𝑞 𝑗 where 𝑗2 + 1 = 0

• Recall that every elliptic curve 𝐹 over a field 𝐿 with char 𝐿 > 3 can be

defined by 𝐹 ∶ 𝑧2 = 𝑦3 + 𝑏𝑦 + 𝑐, where 𝑏, 𝑐 ∈ 𝐿, 4𝑏3 + 27𝑐2 ≠ 0

• For any extension 𝐿′/𝐿, the set of 𝐿′-rational points forms a group with

identity

• The 𝑘-invariant 𝑘 𝐹 = 𝑘 𝑏, 𝑐 = 1728 ⋅

4𝑏3 4𝑏3+27𝑐2 determines isomorphism

class over ഥ 𝐿

• E.g., 𝐹′: 𝑧2 = 𝑦3 + 𝑏𝑣2𝑦 + 𝑐𝑣3 is isomorphic to 𝐹 for all 𝑣 ∈ 𝐿∗
• Recover a curve from 𝑘: e.g., set 𝑏 = −3𝑑 and 𝑐 = 2𝑑 with 𝑑 = 𝑘/(𝑘 − 1728)

Elliptic Curves and 𝑘-invariants

Over 𝔾13, the curves 𝐹1 ∶ 𝑧2 = 𝑦3 + 9𝑦 + 8 and 𝐹2 ∶ 𝑧2 = 𝑦3 + 3𝑦 + 5 are isomorphic, since 𝑘 𝐹1 = 1728 ⋅

4⋅93 4⋅93+27⋅82 = 3 = 1728 ⋅ 4⋅33 4⋅33+27⋅52 = 𝑘(𝐹2)

An isomorphism is given by 𝜔 ∶ 𝐹1 → 𝐹2 , 𝑦, 𝑧 ↦ 10𝑦, 5𝑧 , 𝜔−1: 𝐹2 → 𝐹1, 𝑦, 𝑧 ↦ 4𝑦, 8𝑧 , noting that 𝜔 ∞1 = ∞2

Example

• The multiplication-by-𝑜 map:

𝑜 ∶ 𝐹 → 𝐹, 𝑄 ↦ 𝑜 𝑄

• The 𝑜-torsion subgroup is the kernel of 𝑜

𝐹 𝑜 = 𝑄 ∈ 𝐹 ഥ 𝐿 ∶ 𝑜 𝑄 = ∞

• Found as the roots of the 𝑜𝑢ℎ division polynomial 𝜔𝑜
• If char 𝐿 doesn’t divide 𝑜, then

𝐹 𝑜 ≃ ℤ𝑜 × ℤ𝑜

T

• rsion subgroups

• Consider 𝐹/𝔾11: 𝑧2 = 𝑦3 + 4 with #𝐹(𝔾11) = 12
• 3-division polynomial 𝜔3(𝑦) = 3𝑦4 + 4𝑦 partially

splits as 𝜔3 𝑦 = 𝑦 𝑦 + 3 𝑦2 + 8𝑦 + 9

• Thus, 𝑦 = 0 and 𝑦 = −3 give 3-torsion points.

The points (0,2) and (0,9) are in 𝐹 𝔾11 , but the rest lie in 𝐹(𝔾112)

• Write 𝔾112 = 𝔾11(𝑗) with 𝑗2 + 1 = 0.

𝜔3 𝑦 splits over 𝔾112 as 𝜔3 𝑦 = 𝑦 𝑦 + 3 𝑦 + 9𝑗 + 4 (𝑦 + 2𝑗 + 4)

• Observe 𝐹 3

≃ ℤ3 × ℤ3 , i.e., 4 cyclic subgroups of order 3

Example (𝑜 = 3)

Subgroup isogenies

• Isogeny

geny: : morphism (rational map) 𝜚 ∶ 𝐹1 → 𝐹2 that preserves identity, i.e. 𝜚 ∞1 = ∞2

• Degree of (separable) isogeny is number of elements in kernel,

same as its degree as a rational map

• Given finite subgroup 𝐻 ∈ 𝐹1, there is a unique curve 𝐹2 and

isogeny 𝜚 ∶ 𝐹1 → 𝐹2 (up to isomorphism) having kernel 𝐻. Write 𝐹2 = 𝜚(𝐹1) = 𝐹1/〈𝐻〉.

Subgroup isogenies: special cases

• Isomorphisms are a special case of isogenies where the kernel is trivial

𝜚 ∶ 𝐹1 → 𝐹2, ker 𝜚 = ∞1

• Endomorphisms are a special case of isogenies where the domain and co-

domain are the same curve 𝜚 ∶ 𝐹1 → 𝐹1, ker 𝜚 = 𝐻, |𝐻| > 1

• Perhaps think of isogenies as a generalization of either/both: isogenies allow

non-trivial kernel and allow different domain/co-domain

• Isogenies are *almost* isomorphisms

Velu’s formulas

Given any finite subgroup of 𝐻 of 𝐹, we may form a qu quotient ent iso soge geny ny 𝜚: 𝐹 → 𝐹′ = 𝐹/𝐻 with kernel 𝐻 using Velu’s fo formu rmula las Example: 𝐹 ∶ 𝑧2 = (𝑦2 + 𝑐1𝑦 + 𝑐0)(𝑦 − 𝑏). The point (𝑏, 0) has order 2; the quotient of 𝐹 by 〈 𝑏, 0 〉 gives an isogeny 𝜚 ∶ 𝐹 → 𝐹′ = 𝐹/〈 𝑏, 0 〉, where 𝐹′ ∶ y2 = x3 + − 4a + 2b1 x2 + b1

2 − 4b0 x

And where 𝜚 maps 𝑦, 𝑧 to

𝑦3− 𝑏−𝑐1 𝑦2− 𝑐1𝑏−𝑐0 𝑦−𝑐0𝑏 𝑦−𝑏

,

x2− 2a x− b1a+b0 y x−a 2

Velu’s formulas

Given curve coefficients 𝑏, 𝑐 for 𝐹, and all of the 𝑦-coordinates 𝑦𝑗 of the subgroup 𝐻 ∈ 𝐹, Velu’s formulas output 𝑏′, 𝑐′ for 𝐹′, and the map 𝜚 ∶ 𝐹 → 𝐹′, 𝑦, 𝑧 ↦

𝑔

1 𝑦,𝑧

𝑕1 𝑦,𝑧 , 𝑔

2 𝑦,𝑧

𝑕2 𝑦,𝑧

• Recall 𝐹/𝔾11: 𝑧2 = 𝑦3 + 4 with #𝐹(𝔾11) = 12
• Consider 3 ∶ 𝐹 → 𝐹, the multiplication-by-3

endomorphism

• 𝐻 = ker 3 , which is not cyclic
• Conversely, given the subgroup 𝐻,

the unique isogeny 𝜚 with ker 𝜚 = 𝐻 turns

• ut to be the endormorphism 𝜚 = [3]
• But what happens if we instead take 𝐻 as one
• f the cyclic subgroups of order 3?

𝐻 = 𝐹[3] Example, cont.

Example, cont. 𝐹/𝔾11: 𝑧2= 𝑦3 + 4

𝜚2 𝜚4 𝜚1 𝜚3

𝐹2/𝔾11: 𝑧2= 𝑦3 + 5𝑦 𝐹4/𝔾112: 𝑧2= 𝑦3 + (4𝑗 + 3)𝑦 𝐹1/𝔾11: 𝑧2= 𝑦3 + 2 𝐹3/𝔾112: 𝑧2= 𝑦3 + 7𝑗 + 3 𝑦

𝐹1,𝐹2,𝐹3,𝐹4 all 3-isogenous to 𝐹, but what’s the relation to each other?

• Fact 1: 𝐹1 and 𝐹2 iso

somorphic

• rphic iff 𝑘 𝐹1 = 𝑘(𝐹2)
• Fact 2: 𝐹1 and 𝐹2 iso

sogenous enous iff #𝐹1 = #𝐹2 (T ate)

• Fact 3: 𝑟 + 1 − 2 𝑟 ≤ #𝐹 𝔾𝑟 ≤ 𝑟 + 1 + 2 𝑟 (Hasse)

Upshot for fixed 𝑟 𝑃 𝑟 isogeny classes 𝑃(𝑟) isomorphism classes

Isomorphisms and isogenies

• 𝐹/𝔾𝑟 with 𝑟 = 𝑞𝑜 supersingular iff 𝐹 𝑞 = {∞}
• Fact: all supersingular curves can be defined over 𝔾𝑞2
• Let 𝑇𝑞2 be the set of supersingular 𝑘-invariants

Supersingular curves

Theorem: #𝑇𝑞2 =

𝑞 12 + 𝑐, 𝑐 ∈ {0,1,2}

• We are interested in the set of supersingular curves (up to isomorphism)
• ver a specific field
• Thm (Mestre): all supersingular curves over 𝔾𝑞2 in same isogeny class
• Fact (see previous slides): for every prime ℓ not dividing 𝑞, there exists

ℓ + 1 isogenies of degree ℓ originating from any supersingular curve

The supersingular isogeny graph

Upshot: immediately leads to (ℓ + 1) directed regular graph 𝑌(𝑇𝑞2, ℓ)

• Let 𝑞 = 241, 𝔾𝑞2 = 𝔾𝑞 𝑥 = 𝔾𝑞 𝑦 /(𝑦2 − 3𝑦 + 7)
• #𝑇𝑞2 = 20
• 𝑇𝑞2 = {93, 51𝑥 + 30, 190𝑥 + 183, 240, 216, 45𝑥 + 211, 196𝑥 +

105, 64, 155𝑥 + 3, 74𝑥 + 50, 86𝑥 + 227, 167𝑥 + 31, 175𝑥 + 237, 66𝑥 + 39, 8, 23𝑥 + 193, 218𝑥 + 21, 28, 49𝑥 + 112, 192𝑥 + 18}

E.g. a supersingular isogeny graph

Credit to Fre Vercauteren for example and pictures…

Supersingular isogeny graph for ℓ = 2: 𝑌(𝑇2412,2)

Supersingular isogeny graph for ℓ = 3: 𝑌(𝑇2412,3)

Rapid id mi mixi xing g proper perty: ty: Let 𝑇 be any subset of the vertices of the graph 𝐻, and 𝑦 be any vertex in 𝐻. A “long enough” random walk will land in 𝑇 with probability at least 𝑇

2|𝐻|.

Supersingular isogeny graphs are Ramanujan graphs

See De Feo, Jao, Plut (Prop 2.1) for precise formula describing what’s “long enough”

Part 1: Motivation Part 2: Preliminaries Part 3: SIDH

SIDH: history

• 1999:

99: Couveignes gives talk “Hard homogenous spaces” (eprint.iacr.org/2006/291)

• 2006

006 (OID IDH) H): Rostovsev and Stolbunov propose ordinary isogeny DH

• 2010

10 (OID IDH H break) eak): Childs-Jao-Soukharev give quantum subexponential alg.

• 2011

11 (SID IDH) H): Jao and De Feo fix by choosing supersingular curves

Cr Crucial cial dif iffer ferenc ence: e: supersingular (i.e., non-ordinary) endomorphism ring is not commutative (resists above attack)

• W. Castryck (GIF): ”Elliptic curves are dead: long live elliptic curves” https://www.esat.kuleuven.be/cosic/?p=7404

𝐹0 𝐹𝐵 = 𝐹0/〈𝐵〉 𝐹0/〈𝐶〉 = 𝐹𝐶 𝐹𝐵𝐶 = 𝐹0/〈𝐵, 𝐶〉

𝜚𝐵 𝜚𝐶 𝜚𝐵′ 𝜚𝐶

′

params public private 𝐹’s are isogenous curves 𝑄’s, 𝑅’s, 𝑆’s, 𝑇’s are points

SIDH: in a nutshell

𝐹0 𝐹𝐵 = 𝐹0/〈𝑄

𝐵 + 𝑡𝐵 𝑅𝐵〉

𝐹0/〈𝑄𝐶 + 𝑡𝐶 𝑅𝐶〉 = 𝐹𝐶 𝐹𝐵𝐶 = 𝐹0/〈𝐵, 𝐶〉

𝜚𝐵 𝜚𝐶 𝜚𝐵′ 𝜚𝐶

′

params public private 𝐹’s are isogenous curves 𝑄’s, 𝑅’s, 𝑆’s, 𝑇’s are points

SIDH: in a nutshell

(𝜚𝐶(𝑄

𝐵), 𝜚𝐶(𝑅𝐵)) = (𝑆𝐶, 𝑇𝐶)

(𝑆𝐵, 𝑇𝐵) = (𝜚𝐵(𝑄𝐶), 𝜚𝐵(𝑅𝐶))

𝐹𝐵/〈𝑆𝐵 + 𝑡𝐶 𝑇𝐵〉 ≅ 𝐹0/〈𝑄

𝐵 + 𝑡𝐵 𝑅𝐵 , 𝑄𝐶 + 𝑡𝐶 𝑅𝐶〉 ≅ 𝐹𝐶/〈𝑆𝐶 + 𝑡𝐵 𝑇𝐶〉

Key: : Alice sends her isogeny evaluated at Bob’s generators, and vice versa

• Why 𝐹′ = 𝐹/〈𝑄 + 𝑡 𝑅〉 , etc?
• Why not just 𝐹′ = 𝐹/〈 𝑡 𝑅〉 ?...

because here 𝐹′ is ≈ independent of 𝑡

• Need two-dimensional basis to span

two-dimensional torsion

• Every different 𝑡 now gives a different
• rder 𝑜 subgroup, i.e., kernel, i.e. isogeny
• Composite same thing, just uglier picture

𝐹 𝑜 ≅ ℤ𝑜 × ℤ𝑜

(𝑜 prime depicted below) 𝑜 + 1 cyclic subgroups order n

𝑄 [𝑡]𝑅 𝑅

• Why 𝐹′ = 𝐹/〈𝑄 + 𝑡 𝑅〉 , etc?
• Why not just 𝐹′ = 𝐹/〈 𝑡 𝑅〉 ?...

because here 𝐹′ is ≈ independent of 𝑡

• Need two-dimensional basis to span

two-dimensional torsion

• Every different 𝑡 now gives a different
• rder 𝑜 subgroup, i.e., kernel, i.e. isogeny
• Composite same thing, just uglier picture

𝐹 𝑜 ≅ ℤ𝑜 × ℤ𝑜

(𝑜 prime depicted below) 𝑜 + 1 cyclic subgroups order n

𝑄 [𝑡]𝑅 𝑅

• Why 𝐹′ = 𝐹/〈𝑄 + 𝑡 𝑅〉 , etc?
• Why not just 𝐹′ = 𝐹/〈 𝑡 𝑅〉 ?...

because here 𝐹′ is ≈ independent of 𝑡

• Need two-dimensional basis to span

two-dimensional torsion

• Every different 𝑡 now gives a different
• rder 𝑜 subgroup, i.e., kernel, i.e. isogeny
• Composite same thing, just uglier picture

𝐹 𝑜 ≅ ℤ𝑜 × ℤ𝑜

(𝑜 prime depicted below) 𝑜 + 1 cyclic subgroups order n

𝑄 [𝑡]𝑅 𝑅

• Why 𝐹′ = 𝐹/〈𝑄 + 𝑡 𝑅〉 , etc?
• Why not just 𝐹′ = 𝐹/〈 𝑡 𝑅〉 ?...

because here 𝐹′ is ≈ independent of 𝑡

• Need two-dimensional basis to span

two-dimensional torsion

• Every different 𝑡 now gives a different
• rder 𝑜 subgroup, i.e., kernel, i.e. isogeny
• Composite same thing, just uglier picture

𝐹 𝑜 ≅ ℤ𝑜 × ℤ𝑜

(𝑜 prime depicted below) 𝑜 + 1 cyclic subgroups order n

𝑄 𝑅

• Computing isogenies of prime degree ℓ at least 𝑃 ℓ , e.g., Velu’s

formulas need the whole kernel specified

• We (obviously) need exp. set of kernels, meaning exp. sized

isogenies, which we can’t compute unless they’re smooth

• Here (for efficiency/ease) we will only use isogenies of degree ℓ𝑓

for ℓ ∈ {2,3}

Exploiting smooth degree isogenies

Exploiting smooth degree isogenies

(credit DJP’14 for picture, and for a much better way to traverse the tree)

• Suppose our secret point 𝑆0 has order ℓ5 with,

e.g., ℓ ∈ {2,3}, we need 𝜚 ∶ 𝐹 → 𝐹/〈𝑆0〉

• Could compute all ℓ5 elements in kernel

(but only because exp is 5)

• Better to factor 𝜚 = 𝜚4𝜚3𝜚2𝜚1𝜚0,

where all 𝜚𝑗 have degree ℓ, and

𝜚0 = 𝐹0 → 𝐹0/〈 ℓ4 𝑆0〉 , 𝑆1 = 𝜚0 𝑆0 ; 𝜚1 = 𝐹1 → 𝐹1/〈 ℓ3 𝑆1〉 , 𝑆2 = 𝜚1(𝑆1); 𝜚2 = 𝐹2 → 𝐹2/〈 ℓ2 𝑆2〉 , 𝑆3 = 𝜚2(𝑆2); 𝜚3 = 𝐹3 → 𝐹3/〈 ℓ1 𝑆3〉 , 𝑆4 = 𝜚3(𝑆3); 𝜚4 = 𝐹4 → 𝐹4/〈𝑆4〉 .

SIDH: security

• Se

Setting ting: : supersingular elliptic curves 𝐹/𝔾𝑞2 where 𝑞 is a large prime

• Hard

d pr problem blem: Given 𝑄, 𝑅 ∈ 𝐹 and 𝜚 𝑄 , 𝜚 𝑅 ∈ 𝜚(𝐹), compute 𝜚 (where 𝜚 has fixed, smooth, public degree)

• Be

Best st (kno nown) n) attac tacks ks: classical 𝑃(𝑞1/4) and quantum 𝑃(𝑞1/6)

• Confidence:

nfidence: above complexities are optimal for (above generic) claw attack

𝑞 = 23723239 − 1

(Our) parameters

𝑞 ≈ 2768 gives ≈ 192 bits clas assical sical and 128 bits quantum um security against best known attacks

𝐹0 /𝔾𝑞2 ∶ 𝑧2 = 𝑦3 + 𝑦 #𝐹0 = 𝑞 + 1 2 = 23723239 2

Easy ECDLP

𝑄

𝐵, 𝑄𝐶 ∈ 𝐹0 𝔾𝑞 , 𝑅𝐵 = 𝜐 𝑄 𝐵 , 𝑅𝐶 = 𝜐 𝑄𝐶

PK = 𝑦 𝑄 , 𝑦 𝑅 , 𝑦 𝑅 − 𝑄 ∈ 𝔾𝑞2

3

564 bytes 376 bytes

params public private

48 bytes

𝑡𝐵, 𝑡𝐶 ∈ ℤ

188 bytes

𝑘(𝐹𝐵𝐶) ∈ 𝔾𝑞2

𝐹a,b ∶ 𝑐𝑧2 = 𝑦3 + 𝑏𝑦2 + 𝑦

Point and isogeny arithmetic in ℙ1

𝐹(A:B:C) ∶ 𝐶𝑍2𝑎 = 𝐷𝑌3 + 𝐵𝑌2𝑎 + 𝐷𝑌𝑎2 𝑦, 𝑧 ↔ (𝑌 ∶ 𝑍 ∶ 𝑎) 𝑏, 𝑐 ↔ (𝐵 ∶ 𝐶 ∶ 𝐷) ℙ1 point arithmetic (Montgomery): 𝑌 ∶ 𝑎 ↦ (𝑌′: 𝑎′) ℙ1 isogeny arithmetic (this work): 𝐵 ∶ 𝐷 ↦ 𝐵′: 𝐷′ ECDH: move around different points on a fixed curve. SIDH: move around different points and different curves

The Montgomery 𝐶 coefficient only fixes the quadratic

• twist. Can ignore it

in SIDH since 𝑘 𝐹 = 𝑘(𝐹′)

Performance

comparison

• ur work

prior work public key size (bytes) uncompressed 564 768 compressed 330 385 uncompressed speed (cc x 106) Alice total 90 267 Bob total 102 274 compressed speed (cc x 106) Alice total 239 6887 Bob total 263 8514

(see papers for references and benchmarking details)

SIDH vs. lattice “DH” primitives

T able le: ms for full DH round (Alice + Bob) on 2.6GHz Intel Xeon i5 (Sandy Bridge) See “Frodo” for benchmarking details.

Name Primitive Full DH (ms) PK size (bytes) Frodo LWE 2.600 11,300 NewHope R-LWE 0.310 1,792 NTRU NTRU 2.429 1,024 SIDH Supersingular Isogeny 900 564

All numbers above are for plain C implementations (e.g., SIDH w. assembly optimizations is 56ms)

Compressed SIDH vs. lattice “DH” primitives

Name Primitive Full DH (ms) PK size (bytes) Frodo LWE 2.600 11,300 NewHope R-LWE 0.310 1,792 NTRU NTRU 2.429 1,024 SIDH Supersingular Isogeny ≈ 2390 330

Compr mpressed essed SIDH DH roughly ghly 2-3 slowe wer th than n uncom compr pressed ssed SIDH. DH.

Further topics and recent work…

• Issues regarding public key validation: Asiacrypt2016 paper by

Galbraith-Petit-Shani-Ti

• NSA countermeasure: “Failure is not an option: standardization

issues for PQ key agreement”

• Thus, library currently supports ephemeral DH only
• But all PQ key establishment (codes, lattice) suffer from this

Validating public keys

• No clear frontrunner for PQ key exchange
• Hybrid particularly good idea for (relatively young) SIDH
• Hybrid particularly easy for SIDH

BigMont: a strong SIDH+ECDH hybrid

There are exponentially many 𝐵 such that 𝐹𝐵 /𝔾𝑞2: 𝑧2 = 𝑦3 + 𝐵𝑦2 + 𝑦 is in the supersingular isogeny class. These are all unsuitable for ECDH. There are also exponentially many 𝐵 such that 𝐹𝐵 /𝔾𝑞2: 𝑧2 = 𝑦3 + 𝐵𝑦2 + 𝑦 is suitable for ECDH, e.g. 𝐵 = 624450.

SIDH vs. SIDH+ECDH hybrid

comparison SIDH SIDH+ECDH bit security (hard problem) classical 192 (SSDDH) 384 (ECDHP) quantum 128 (SSDDH) 128 (SSDDH) public key size (bytes) 564 658 Speed (cc x 106) Alice key gen. 46 52 Bob key gen. 52 58 Alice shared sec. 44 50 Bob shared sec. 50 57

Colossal amount of classical security almost-for-free (≈ no more code)

C-Hisil: For odd order ℓ = 2𝑒 + 1 point 𝑄 on Montgomery curve 𝐹, map 𝜚 ∶ 𝐹 → 𝐹′, 𝑦, 𝑧 ↦ (𝜚𝑦 𝑦 , 𝑧 ⋅ 𝜚𝑦

′ 𝑦 )

Simple, compact, (relatively) efficient isogenies of arbitrary degree

with 𝜚𝑦 𝑦 = 𝑦 ⋅ ෑ

1≤𝑗≤𝑒

𝑦 ⋅ 𝑦 𝑗 𝑄 − 1 𝑦 − 𝑦 𝑗 𝑄

2

is ℓ-isogeny with ker 𝜚 = ⟨𝑄⟩, and moreover, 𝐹′ is Montgomery curve.

Need not have 𝑞 = 2𝑗3𝑘 − 1, can easily implement 𝑞 = ∏𝑟𝑗

𝑛𝑗 ⋅ ∏𝑠 𝑘 𝑜𝑘 − 1

with gcd ∏𝑟𝑗, ∏𝑠

𝑘 = 1

Arbitrary degree isogenies

Questions?