isogeny-based cryptography Craig Costello Summer School on - PowerPoint PPT Presentation

An introduction to supersingular isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8, 2017 Šibenik , Croatia

T owards quantum-resistant cryptosystems from supersingular elliptic curve isogenies LUCA CA DE DE FE FEO, DAVID D JAO, JÉRÔME ME PLÛT http:/ p://ep /eprin rint.i t.iacr acr.or .org/2 /201 011/5 1/506 06 Full version of Crypto’16 paper (joint with P . Longa and M. Naehrig) http://eprint.iacr.org/2016/413 Full version of Eurocrypt’17 paper (joint with D. Jao, P . Longa, M. Naehrig, D. Urbanik, J. Renes) http://eprint.iacr.org/2016/963 Preprint of recent work on flexible SIDH (joint with H. Hisil) http://eprint.iacr.org/2017/504 SIDH library v2.0 https://www.microsoft.com/en-us/research/project/sidh-library/

W. Castryck (GIF): ”Elliptic curves are dead: long live elliptic curves” https://www.esat.kuleuven.be/cosic/?p=7404

Part 1: Motivation Part 2: Preliminaries Part 3: SIDH

Quantum computers ↔ Cryptopocalypse • Quantum computers break elliptic curves, finite fields, factoring, everything currently used for PKC • Aug 2015: NSA announces plans to transition to quantum-resistant algorithms • Feb 2016: NIST calls for quantum-secure submissions. Deadline Nov 30, 2017

Post-quantum key exchange Which hard problem(s) to use now??? Th This is talk: lk: su supe persin singular gular is isoge genie nies

Diffie-Hellman(ish) instantiations DH DH ECDH R-LWE WE LWE SIDH [BCNS’15, newhope, NTRU] [Frodo] [DJP14, CLN16] elements ts integers 𝑕 points 𝑄 in elements 𝑏 in ring matrices 𝐵 in curves 𝐹 in modulo prime curve group isogeny class 𝑜×𝑜 𝑆 = ℤ 𝑟 𝑦 /〈Φ 𝑜 𝑦 〉 ℤ 𝑟 secrets ets exponents 𝑦 scalars 𝑙 small errors 𝑡, 𝑓 ∈ 𝑆 small 𝑡, 𝑓 ∈ ℤ 𝑟 isogenies 𝜚 𝑜 compu putations tations 𝑕, 𝑦 ↦ 𝑕 𝑦 𝑙, 𝑄 ↦ 𝑙 𝑄 𝑏, 𝑡, 𝑓 ↦ 𝑏𝑡 + 𝑓 𝐵, 𝑡, 𝑓 ↦ 𝐵𝑡 + 𝑓 𝜚, 𝐹 ↦ 𝜚(𝐹) hard d prob oblem em given 𝑕, 𝑕 𝑦 given 𝑄, 𝑙 𝑄 given 𝑏, 𝑏𝑡 + 𝑓 given 𝐵, 𝐵𝑡 + 𝑓 given 𝐹, 𝜚(𝐹) find 𝑦 find 𝑙 find 𝑡 find 𝑡 find 𝜚

Part 1: Motivation Part 2: Preliminaries Part 3: SIDH

Extension fields o construct degree 𝑜 extension field 𝔾 𝑟 𝑜 of a finite field 𝔾 𝑟 , take 𝔾 𝑟 𝑜 = 𝔾 𝑟 (𝛽) T where 𝑔 𝛽 = 0 and 𝑔(𝑦) is irreducible of degree 𝑜 in 𝔾 𝑟 [𝑦] . Example: for any prime 𝑞 ≡ 3 mod 4 , can take 𝔾 𝑞 2 = 𝔾 𝑞 𝑗 where 𝑗 2 + 1 = 0

Elliptic Curves and 𝑘 -invariants • Recall that every elliptic curve 𝐹 over a field 𝐿 with char 𝐿 > 3 can be defined by 𝐹 ∶ 𝑧 2 = 𝑦 3 + 𝑏𝑦 + 𝑐 , where 𝑏, 𝑐 ∈ 𝐿 , 4𝑏 3 + 27𝑐 2 ≠ 0 • For any extension 𝐿 ′ /𝐿 , the set of 𝐿′ -rational points forms a group with identity 4𝑏 3 • The 𝑘 -invariant 𝑘 𝐹 = 𝑘 𝑏, 𝑐 = 1728 ⋅ 4𝑏 3 +27𝑐 2 determines isomorphism class over ഥ 𝐿 • E.g., 𝐹 ′ : 𝑧 2 = 𝑦 3 + 𝑏𝑣 2 𝑦 + 𝑐𝑣 3 is isomorphic to 𝐹 for all 𝑣 ∈ 𝐿 ∗ • Recover a curve from 𝑘 : e.g., set 𝑏 = −3𝑑 and 𝑐 = 2𝑑 with 𝑑 = 𝑘/(𝑘 − 1728)

Example Over 𝔾 13 , the curves 𝐹 1 ∶ 𝑧 2 = 𝑦 3 + 9𝑦 + 8 and 𝐹 2 ∶ 𝑧 2 = 𝑦 3 + 3𝑦 + 5 are isomorphic, since 4⋅9 3 4⋅3 3 𝑘 𝐹 1 = 1728 ⋅ 4⋅9 3 +27⋅8 2 = 3 = 1728 ⋅ 4⋅3 3 +27⋅5 2 = 𝑘(𝐹 2 ) An isomorphism is given by 𝜔 ∶ 𝐹 1 → 𝐹 2 , 𝑦, 𝑧 ↦ 10𝑦, 5𝑧 , 4𝑦, 8𝑧 , 𝜔 −1 : 𝐹 2 → 𝐹 1 , 𝑦, 𝑧 ↦ noting that 𝜔 ∞ 1 = ∞ 2

T orsion subgroups • The multiplication-by- 𝑜 map: 𝑜 ∶ 𝐹 → 𝐹, 𝑄 ↦ 𝑜 𝑄 • The 𝑜 -torsion subgroup is the kernel of 𝑜 𝐹 𝑜 = 𝑄 ∈ 𝐹 ഥ 𝐿 ∶ 𝑜 𝑄 = ∞ • Found as the roots of the 𝑜 𝑢ℎ division polynomial 𝜔 𝑜 • If char 𝐿 doesn’t divide 𝑜 , then 𝐹 𝑜 ≃ ℤ 𝑜 × ℤ 𝑜

Example ( 𝑜 = 3 ) • Consider 𝐹/𝔾 11 : 𝑧 2 = 𝑦 3 + 4 with #𝐹(𝔾 11 ) = 12 • 3-division polynomial 𝜔 3 (𝑦) = 3𝑦 4 + 4𝑦 partially 𝑦 2 + 8𝑦 + 9 splits as 𝜔 3 𝑦 = 𝑦 𝑦 + 3 • Thus, 𝑦 = 0 and 𝑦 = −3 give 3-torsion points. The points (0,2) and (0,9) are in 𝐹 𝔾 11 , but the rest lie in 𝐹(𝔾 11 2 ) • Write 𝔾 11 2 = 𝔾 11 (𝑗) with 𝑗 2 + 1 = 0 . 𝜔 3 𝑦 splits over 𝔾 11 2 as 𝜔 3 𝑦 = 𝑦 𝑦 + 3 𝑦 + 9𝑗 + 4 (𝑦 + 2𝑗 + 4) • Observe 𝐹 3 ≃ ℤ 3 × ℤ 3 , i.e., 4 cyclic subgroups of order 3

Subgroup isogenies • Isogeny geny: : morphism (rational map) 𝜚 ∶ 𝐹 1 → 𝐹 2 that preserves identity, i.e. 𝜚 ∞ 1 = ∞ 2 • Degree of (separable) isogeny is number of elements in kernel, same as its degree as a rational map • Given finite subgroup 𝐻 ∈ 𝐹 1 , there is a unique curve 𝐹 2 and isogeny 𝜚 ∶ 𝐹 1 → 𝐹 2 (up to isomorphism) having kernel 𝐻 . Write 𝐹 2 = 𝜚(𝐹 1 ) = 𝐹 1 /〈𝐻〉 .

Subgroup isogenies: special cases • Isomorphisms are a special case of isogenies where the kernel is trivial 𝜚 ∶ 𝐹 1 → 𝐹 2 , ker 𝜚 = ∞ 1 • Endomorphisms are a special case of isogenies where the domain and co- domain are the same curve ker 𝜚 = 𝐻 , |𝐻| > 1 𝜚 ∶ 𝐹 1 → 𝐹 1 , • Perhaps think of isogenies as a generalization of either/both: isogenies allow non-trivial kernel and allow different domain/co-domain • Isogenies are *almost* isomorphisms

Velu’s formulas Given any finite subgroup of 𝐻 of 𝐹 , we may form a qu quotient ent iso soge geny ny 𝜚: 𝐹 → 𝐹 ′ = 𝐹/𝐻 with kernel 𝐻 using Velu’s fo formu rmula las Example: 𝐹 ∶ 𝑧 2 = (𝑦 2 + 𝑐 1 𝑦 + 𝑐 0 )(𝑦 − 𝑏) . The point (𝑏, 0) has order 2; the quotient of 𝐹 by 〈 𝑏, 0 〉 gives an isogeny 𝜚 ∶ 𝐹 → 𝐹 ′ = 𝐹/〈 𝑏, 0 〉 , where 𝐹 ′ ∶ y 2 = x 3 + − 4a + 2b 1 x 2 + b 1 2 − 4b 0 x And where 𝜚 maps 𝑦, 𝑧 to x 2 − 2a x− b 1 a+b 0 y 𝑦 3 − 𝑏−𝑐 1 𝑦 2 − 𝑐 1 𝑏−𝑐 0 𝑦−𝑐 0 𝑏 , x−a 2 𝑦−𝑏

Velu’s formulas Given curve coefficients 𝑏, 𝑐 for 𝐹 , and all of the 𝑦 -coordinates 𝑦 𝑗 of the subgroup 𝐻 ∈ 𝐹 , Velu’s formulas output 𝑏 ′ , 𝑐′ for 𝐹′ , and the map 𝜚 ∶ 𝐹 → 𝐹 ′ , 𝑔 1 𝑦,𝑧 𝑔 2 𝑦,𝑧 𝑦, 𝑧 ↦ 𝑕 1 𝑦,𝑧 , 𝑕 2 𝑦,𝑧

Example, cont. 𝐻 = 𝐹[3] • Recall 𝐹/𝔾 11 : 𝑧 2 = 𝑦 3 + 4 with #𝐹(𝔾 11 ) = 12 • Consider 3 ∶ 𝐹 → 𝐹 , the multiplication-by-3 endomorphism • 𝐻 = ker 3 , which is not cyclic • Conversely, given the subgroup 𝐻 , the unique isogeny 𝜚 with ker 𝜚 = 𝐻 turns out to be the endormorphism 𝜚 = [3] • But what happens if we instead take 𝐻 as one of the cyclic subgroups of order 3 ?

Example, cont. 𝐹/𝔾 11 : 𝑧 2 = 𝑦 3 + 4 𝐹 2 /𝔾 11 : 𝑧 2 = 𝑦 3 + 5𝑦 𝐹 1 /𝔾 11 : 𝑧 2 = 𝑦 3 + 2 𝜚 2 𝜚 1 𝜚 3 𝜚 4 𝐹 3 /𝔾 11 2 : 𝑧 2 = 𝑦 3 + 7𝑗 + 3 𝑦 𝐹 4 /𝔾 11 2 : 𝑧 2 = 𝑦 3 + (4𝑗 + 3)𝑦 𝐹 1 ,𝐹 2 ,𝐹 3 ,𝐹 4 all 3-isogenous to 𝐹 , but what’s the relation to each other?

Isomorphisms and isogenies • Fact 1: 𝐹 1 and 𝐹 2 iso somorphic orphic iff 𝑘 𝐹 1 = 𝑘(𝐹 2 ) • Fact 2: 𝐹 1 and 𝐹 2 iso sogenous enous iff #𝐹 1 = #𝐹 2 (T ate) • Fact 3: 𝑟 + 1 − 2 𝑟 ≤ #𝐹 𝔾 𝑟 ≤ 𝑟 + 1 + 2 𝑟 (Hasse) Upshot for fixed 𝑟 𝑟 isogeny classes 𝑃 𝑃(𝑟) isomorphism classes

Supersingular curves • 𝐹/𝔾 𝑟 with 𝑟 = 𝑞 𝑜 supersingular iff 𝐹 𝑞 = {∞} • Fact: all supersingular curves can be defined over 𝔾 𝑞 2 • Let 𝑇 𝑞 2 be the set of supersingular 𝑘 -invariants 𝑞 Theorem: #𝑇 𝑞 2 = 12 + 𝑐 , 𝑐 ∈ {0,1,2}

The supersingular isogeny graph • We are interested in the set of supersingular curves (up to isomorphism) over a specific field • Thm (Mestre): all supersingular curves over 𝔾 𝑞 2 in same isogeny class • Fact (see previous slides): for every prime ℓ not dividing 𝑞 , there exists ℓ + 1 isogenies of degree ℓ originating from any supersingular curve Upshot: immediately leads to ( ℓ + 1 ) directed regular graph 𝑌(𝑇 𝑞 2 , ℓ)

E.g. a supersingular isogeny graph • Let 𝑞 = 241 , 𝔾 𝑞 2 = 𝔾 𝑞 𝑥 = 𝔾 𝑞 𝑦 /(𝑦 2 − 3𝑦 + 7) • #𝑇 𝑞 2 = 20 • 𝑇 𝑞 2 = {93, 51𝑥 + 30, 190𝑥 + 183, 240, 216, 45𝑥 + 211, 196𝑥 + 105, 64, 155𝑥 + 3, 74𝑥 + 50, 86𝑥 + 227, 167𝑥 + 31, 175𝑥 + 237, 66𝑥 + 39, 8, 23𝑥 + 193, 218𝑥 + 21, 28, 49𝑥 + 112, 192𝑥 + 18} Credit to Fre Vercauteren for example and pictures…

Supersingular isogeny graph for ℓ = 2 : 𝑌(𝑇 241 2 ,2)

Supersingular isogeny graph for ℓ = 3 : 𝑌(𝑇 241 2 ,3)

Supersingular isogeny graphs are Ramanujan graphs Rapid id mi mixi xing g proper perty: ty: Let 𝑇 be any subset of the vertices of the graph 𝐻 , and 𝑦 be any vertex in 𝐻 . A “long enough” random walk will land in 𝑇 with probability at least 𝑇 2|𝐻| . See De Feo, Jao, Plut (Prop 2.1) for precise formula describing what’s “long enough”

Part 1: Motivation Part 2: Preliminaries Part 3: SIDH