isogeny based cryptography
play

Isogeny-Based Cryptography Tanja Lange (with lots of slides by - PowerPoint PPT Presentation

Oct 07, 2022 •460 likes •1.65k views

Isogeny-Based Cryptography Tanja Lange (with lots of slides by Lorenz Panny) Eindhoven University of Technology 20 & 21 July 2020 DiffieHellman key exchange 76 Public parameters: a finite group G (traditionally F p , today

  1. The beauty and the beast Components of well-chosen isogeny graphs look like this: Which of these is good for crypto? Tanja Lange Isogeny-Based Cryptography 8

  2. The beauty and the beast Components of well-chosen isogeny graphs look like this: Which of these is good for crypto? Both. Tanja Lange Isogeny-Based Cryptography 8

  3. The beauty and the beast At this time, there are two distinct families of systems: q = p 2 q = p CSIDH ["si:­saId] SIDH https://csidh.isogeny.org https://sike.org Tanja Lange Isogeny-Based Cryptography 8

  4. CSIDH ["si:­saId] (Castryck, Lange, Martindale, Panny, Renes; 2018) Tanja Lange Isogeny-Based Cryptography 9

  5. Why CSIDH? ◮ Closest thing we have in PQC to normal DH key exchange: Keys can be reused, blinded; no difference between initiator &responder. ◮ Public keys are represented by some A ∈ F p ; p fixed prime. ◮ Alice computes and distributes her public key A . Bob computes and distributes his public key B . ◮ Alice and Bob do computations on each other’s public keys to obtain shared secret. ◮ Fancy math: computations start on some elliptic curve E A : y 2 = x 3 + Ax 2 + x , use isogenies to move to a different curve. ◮ Computations need arithmetic (add, mult, div) modulo p and elliptic-curve computations. Tanja Lange Isogeny-Based Cryptography 10

  6. Math slide #1: Elliptic curves (nodes) An elliptic curve over F p is given by an equation E : y 2 = x 3 + ax + b , with 4 a 3 − 27 b 2 � = 0. A point P = ( x , y ) on E is a solution to this equation or the point ∞ at infinity. Tanja Lange Isogeny-Based Cryptography 11

  7. Math slide #1: Elliptic curves (nodes) An elliptic curve over F p is given by an equation E : y 2 = x 3 + ax + b , with 4 a 3 − 27 b 2 � = 0. A point P = ( x , y ) on E is a solution to this equation or the point ∞ at infinity. E is an abelian group: we can “add” and “subtract” points. ◮ The neutral element is ∞ . ◮ The inverse of ( x , y ) is ( x , − y ) . ◮ The sum of P 1 = ( x 1 , y 1 ) and P 2 = ( x 2 , y 2 ) is P 3 = ( x 3 , y 3 ) = λ 2 − x 1 − x 2 , λ ( x 1 − x 3 ) − y 1 � � where λ = ( y 2 − y 1 ) / ( x 2 − x 1 ) if x 1 � = x 2 and λ = ( 3 x 2 1 + a ) / ( 2 y 1 ) if P 1 = P 2 � = − P 1 . Takeaway: Computations in F p , some formulas. Other curve shapes, such as Montgomery curves y 2 = x 3 + Ax 2 + x are faster. Tanja Lange Isogeny-Based Cryptography 11

  8. Math slide #2: Isogenies (edges) An isogeny of elliptic curves is a non-zero map E → E ′ ◮ given by rational functions ◮ that is a group homomorphism. The degree of a separable isogeny is the size of its kernel. Tanja Lange Isogeny-Based Cryptography 12

  9. Math slide #2: Isogenies (edges) An isogeny of elliptic curves is a non-zero map E → E ′ ◮ given by rational functions ◮ that is a group homomorphism. The degree of a separable isogeny is the size of its kernel. Example #1: For each m � = 0, the multiplication-by- m map [ m ]: E → E is a degree- m 2 isogeny. If m � = 0 in the base field, its kernel is E [ m ] ∼ = Z / m × Z / m . Tanja Lange Isogeny-Based Cryptography 12

  10. Math slide #2: Isogenies (edges) An isogeny of elliptic curves is a non-zero map E → E ′ ◮ given by rational functions ◮ that is a group homomorphism. The degree of a separable isogeny is the size of its kernel. √ Example #2: For any a and b , the map ι : ( x , y ) �→ ( − x , − 1 · y ) defines a degree-1 isogeny of the elliptic curves { y 2 = x 3 + ax + b } − → { y 2 = x 3 + ax − b } . It is an isomorphism; its kernel is {∞} . Tanja Lange Isogeny-Based Cryptography 12

  11. Math slide #2: Isogenies (edges) An isogeny of elliptic curves is a non-zero map E → E ′ ◮ given by rational functions ◮ that is a group homomorphism. The degree of a separable isogeny is the size of its kernel. Example #3: � � x 3 − 4 x 2 + 30 x − 12 , x 3 − 6 x 2 − 14 x + 35 ( x , y ) �→ · y ( x − 2 ) 2 ( x − 2 ) 3 defines a degree-3 isogeny of the elliptic curves { y 2 = x 3 + x } − → { y 2 = x 3 − 3 x + 3 } over F 71 . Its kernel is { ( 2 , 9 ) , ( 2 , − 9 ) , ∞} . Tanja Lange Isogeny-Based Cryptography 12

  12. CSIDH in one slide Tanja Lange Isogeny-Based Cryptography 13

  13. CSIDH in one slide ◮ Choose some small odd primes ℓ 1 , ..., ℓ n . ◮ Make sure p = 4 · ℓ 1 · · · ℓ n − 1 is prime. Tanja Lange Isogeny-Based Cryptography 13

  14. CSIDH in one slide ◮ Choose some small odd primes ℓ 1 , ..., ℓ n . ◮ Make sure p = 4 · ℓ 1 · · · ℓ n − 1 is prime. ◮ Let X = { y 2 = x 3 + Ax 2 + x over F p with p + 1 points } . Tanja Lange Isogeny-Based Cryptography 13

  15. CSIDH in one slide ◮ Choose some small odd primes ℓ 1 , ..., ℓ n . ◮ Make sure p = 4 · ℓ 1 · · · ℓ n − 1 is prime. ◮ Let X = { y 2 = x 3 + Ax 2 + x over F p with p + 1 points } . ◮ Look at the ℓ i -isogenies defined over F p within X . Tanja Lange Isogeny-Based Cryptography 13

  16. CSIDH in one slide ◮ Choose some small odd primes ℓ 1 , ..., ℓ n . ◮ Make sure p = 4 · ℓ 1 · · · ℓ n − 1 is prime. ◮ Let X = { y 2 = x 3 + Ax 2 + x over F p with p + 1 points } . ◮ Look at the ℓ i -isogenies defined over F p within X . magic math happens! p = 419 ℓ 1 = 3 ℓ 2 = 5 ℓ 3 = 7 Tanja Lange Isogeny-Based Cryptography 13

  17. CSIDH in one slide ◮ Choose some small odd primes ℓ 1 , ..., ℓ n . ◮ Make sure p = 4 · ℓ 1 · · · ℓ n − 1 is prime. ◮ Let X = { y 2 = x 3 + Ax 2 + x over F p with p + 1 points } . ◮ Look at the ℓ i -isogenies defined over F p within X . magic math happens! p = 419 ℓ 1 = 3 ℓ 2 = 5 ℓ 3 = 7 ◮ Walking “left” and “right” on any ℓ i -subgraph is efficient. Tanja Lange Isogeny-Based Cryptography 13

  18. CSIDH in one slide ◮ Choose some small odd primes ℓ 1 , ..., ℓ n . ◮ Make sure p = 4 · ℓ 1 · · · ℓ n − 1 is prime. ◮ Let X = { y 2 = x 3 + Ax 2 + x over F p with p + 1 points } . ◮ Look at the ℓ i -isogenies defined over F p within X . magic math happens! p = 419 ℓ 1 = 3 ℓ 2 = 5 ℓ 3 = 7 ◮ Walking “left” and “right” on any ℓ i -subgraph is efficient. ◮ We can represent E ∈ X as a single coefficient A ∈ F p . Tanja Lange Isogeny-Based Cryptography 13

  19. Walking in the CSIDH graph Taking a “positive” step on the ℓ i -subgraph. 1. Find a point ( x , y ) ∈ E of order ℓ i with x , y ∈ F p . The order of any ( x , y ) ∈ E divides p + 1, so [( p + 1 ) /ℓ i ]( x , y ) = ∞ or a point of order ℓ i . Sample a new point if you get ∞ . 2. Compute the isogeny with kernel � ( x , y ) � (see next slide). Tanja Lange Isogeny-Based Cryptography 14

  20. Walking in the CSIDH graph Taking a “positive” step on the ℓ i -subgraph. 1. Find a point ( x , y ) ∈ E of order ℓ i with x , y ∈ F p . The order of any ( x , y ) ∈ E divides p + 1, so [( p + 1 ) /ℓ i ]( x , y ) = ∞ or a point of order ℓ i . Sample a new point if you get ∞ . 2. Compute the isogeny with kernel � ( x , y ) � (see next slide). Taking a “negative” step on the ℓ i -subgraph. 1. Find a point ( x , y ) ∈ E of order ℓ i with x ∈ F p but y / ∈ F p . This uses scalar multiplication by ( p + 1 ) /ℓ i . 2. Compute the isogeny with kernel � ( x , y ) � (see next slide). Tanja Lange Isogeny-Based Cryptography 14

  21. Walking in the CSIDH graph Taking a “positive” step on the ℓ i -subgraph. 1. Find a point ( x , y ) ∈ E of order ℓ i with x , y ∈ F p . The order of any ( x , y ) ∈ E divides p + 1, so [( p + 1 ) /ℓ i ]( x , y ) = ∞ or a point of order ℓ i . Sample a new point if you get ∞ . 2. Compute the isogeny with kernel � ( x , y ) � (see next slide). Taking a “negative” step on the ℓ i -subgraph. 1. Find a point ( x , y ) ∈ E of order ℓ i with x ∈ F p but y / ∈ F p . This uses scalar multiplication by ( p + 1 ) /ℓ i . 2. Compute the isogeny with kernel � ( x , y ) � (see next slide). Upshot: With “ x -only’ arithmetic” everything happens over F p . = ⇒ Efficient to implement! Tanja Lange Isogeny-Based Cryptography 14

  22. Math slide #3: Isogenies and kernels For any finite subgroup G of E , there exists a unique 1 separable isogeny ϕ G : E → E ′ with kernel G . The curve E ′ is called E / G . ( ≈ quotient groups) If G is defined over k , then ϕ G and E / G are also defined over k . 1 (up to isomorphism of E ′ )

  23. Math slide #3: Isogenies and kernels For any finite subgroup G of E , there exists a unique 1 separable isogeny ϕ G : E → E ′ with kernel G . The curve E ′ is called E / G . ( ≈ quotient groups) If G is defined over k , then ϕ G and E / G are also defined over k . Vélu ’71: Formulas for computing E / G and evaluating ϕ G at a point. Complexity: Θ(# G ) � only suitable for small degrees. 1 (up to isomorphism of E ′ )

  24. Math slide #3: Isogenies and kernels For any finite subgroup G of E , there exists a unique 1 separable isogeny ϕ G : E → E ′ with kernel G . The curve E ′ is called E / G . ( ≈ quotient groups) If G is defined over k , then ϕ G and E / G are also defined over k . Vélu ’71: Formulas for computing E / G and evaluating ϕ G at a point. Complexity: Θ(# G ) � only suitable for small degrees. Vélu operates in the field where the points in G live. � need to make sure extensions stay small for desired # G � this is why we use special p and curves with p + 1 points! Not all k -rational points of E / G are in the image of k -rational points on E ; but # E ( k ) # E / G ( k ) . 1 (up to isomorphism of E ′ )

  25. CSIDH key exchange Alice Bob [ , , , ] [ , , , ] Tanja Lange Isogeny-Based Cryptography 16

  26. CSIDH key exchange Alice Bob [ ↑ , , , ] [ ↑ , , , ] Tanja Lange Isogeny-Based Cryptography 16

  27. CSIDH key exchange Alice Bob [ , ↑ , , ] [ , ↑ , , ] Tanja Lange Isogeny-Based Cryptography 16

  28. CSIDH key exchange Alice Bob [ , , ↑ , ] [ , , ↑ , ] Tanja Lange Isogeny-Based Cryptography 16

  29. CSIDH key exchange Alice Bob [ , , , ↑ ] [ , , , ↑ ] Tanja Lange Isogeny-Based Cryptography 16

  30. CSIDH key exchange Alice Bob [ , , , ] [ , , , ] Tanja Lange Isogeny-Based Cryptography 16

  31. CSIDH key exchange Alice Bob [ ↑ , , , ] [ ↑ , , , ] Tanja Lange Isogeny-Based Cryptography 16

  32. CSIDH key exchange Alice Bob [ , ↑ , , ] [ , ↑ , , ] Tanja Lange Isogeny-Based Cryptography 16

  33. CSIDH key exchange Alice Bob [ , , ↑ , ] [ , , ↑ , ] Tanja Lange Isogeny-Based Cryptography 16

  34. CSIDH key exchange Alice Bob [ , , , ↑ ] [ , , , ↑ ] Tanja Lange Isogeny-Based Cryptography 16

  35. CSIDH key exchange Alice Bob [ , , , ] [ , , , ] Tanja Lange Isogeny-Based Cryptography 16

  36. Abstract from Diffie-Hellman dataflow “CSIDH: an efficient post-quantum commutative group action” Tanja Lange Isogeny-Based Cryptography 17

  37. Abstract from Diffie-Hellman dataflow “CSIDH: an efficient post-quantum commutative group action” Cycles are compatible: [right then left] = [left then right] � only need to keep track of total step counts for each ℓ i . 0 , − 3 ) ∈ Z 3 . Example: [ , , , , , , , ] just becomes (+ 1 , Tanja Lange Isogeny-Based Cryptography 17

  38. Abstract from Diffie-Hellman dataflow “CSIDH: an efficient post-quantum commutative group action” Cycles are compatible: [right then left] = [left then right] � only need to keep track of total step counts for each ℓ i . 0 , − 3 ) ∈ Z 3 . Example: [ , , , , , , , ] just becomes (+ 1 , There is a group action of ( Z n , +) on our set of curves X ! Tanja Lange Isogeny-Based Cryptography 17

  39. Abstract from Diffie-Hellman dataflow “CSIDH: an efficient post-quantum commutative group action” Cycles are compatible: [right then left] = [left then right] � only need to keep track of total step counts for each ℓ i . 0 , − 3 ) ∈ Z 3 . Example: [ , , , , , , , ] just becomes (+ 1 , There is a group action of ( Z n , +) on our set of curves X ! Many paths are “useless”. Fun fact: Quotienting out trivial actions yields the ideal-class group cl ( Z [ √− p ]) . Tanja Lange Isogeny-Based Cryptography 17

  40. Math slide #4: Quadratic twists Not my fault . . . / k if E is isomorphic to E ′ over ¯ E ′ / k is a twist elliptic curve E ” k . For E : y 2 = x 3 + Ax 2 + x over F p with p ≡ 3 mod 4 E ′ : − y 2 = x 3 + Ax 2 + x is isomorphic to E via √ ( x , y ) �→ ( x , − 1 y ) . This map is defined over F p 2 , so this is a quadratic twist. Tanja Lange Isogeny-Based Cryptography 18

  41. Math slide #4: Quadratic twists Not my fault . . . / k if E is isomorphic to E ′ over ¯ E ′ / k is a twist elliptic curve E ” k . For E : y 2 = x 3 + Ax 2 + x over F p with p ≡ 3 mod 4 E ′ : − y 2 = x 3 + Ax 2 + x is isomorphic to E via √ ( x , y ) �→ ( x , − 1 y ) . This map is defined over F p 2 , so this is a quadratic twist. Picking ( x , y ) on E with x ∈ F p , y � = F p implicitly picks point in E ′ ( F p ) . Tanja Lange Isogeny-Based Cryptography 18

  42. Math slide #4: Quadratic twists Not my fault . . . / k if E is isomorphic to E ′ over ¯ E ′ / k is a twist elliptic curve E ” k . For E : y 2 = x 3 + Ax 2 + x over F p with p ≡ 3 mod 4 E ′ : − y 2 = x 3 + Ax 2 + x is isomorphic to E via √ ( x , y ) �→ ( x , − 1 y ) . This map is defined over F p 2 , so this is a quadratic twist. Picking ( x , y ) on E with x ∈ F p , y � = F p implicitly picks point in E ′ ( F p ) . E ′ is not in the isogeny graph, does not have the right shape. E ′ is isomorphic to E ′′ : y 2 = x 3 − Ax 2 + x via ( x , y ) �→ ( − x , y ) over F p . Tanja Lange Isogeny-Based Cryptography 18

  43. Graphs of elliptic curves E 0 E 158 E 261 E 410 E 9 E 368 E 51 E 404 E 15 E 75 E 344 E 144 E 275 E 191 E 228 E 174 E 245 E 413 E 6 E 379 E 40 E 124 E 295 E 199 E 220 E 390 E 29 Nodes: Supersingular elliptic curves E A : y 2 = x 3 + Ax 2 + x over F 419 . Tanja Lange Isogeny-Based Cryptography 19

  44. Graphs of elliptic curves E 0 E 158 E 261 E 410 E 9 E 368 E 51 E 404 E 15 E 75 E 344 E 144 E 275 E 191 E 228 E 174 E 245 E 413 E 6 E 379 E 40 E 124 E 295 E 199 E 220 E 390 E 29 Nodes: Supersingular elliptic curves E A : y 2 = x 3 + Ax 2 + x over F 419 . Each E A on the left has E − A on the right. Negative direction means: flip to twist, go positive direction, flip back. Tanja Lange Isogeny-Based Cryptography 19

  45. Math slide #5: Vélu’s formulas Let P have prime order ℓ on E A . For 1 ≤ k < ℓ let x k be the x -coordinate of [ k ] P . Let ℓ − 1 ℓ − 1 � x i − 1 � � � τ = x i , σ = x i i = 1 i = 1 Then the ℓ isogeny from E A maps to E B with B = τ ( A − 3 σ ) . Main operation is to compute the x k , just some elliptic-curve additions. Note that [ ℓ − k ] P = − [ k ] P and both have the same x -coordinate. Implementations often use projective formulas to avoid (or delay) inverstions. Tanja Lange Isogeny-Based Cryptography 20

  46. Math slide #6: Class groups Reminder: X = { y 2 = x 3 + Ax 2 + x over F p with p + 1 points } . All curves in X have F p -endomorphism ring O = Z [ √− p ] . Let π the Frobenius endomorphism. Ideal in O above ℓ i . l i = ( ℓ i , π − 1 ) . Moving + in X with ℓ i isogeny ⇐ ⇒ action of l i on X . Tanja Lange Isogeny-Based Cryptography 21

  47. Math slide #6: Class groups Reminder: X = { y 2 = x 3 + Ax 2 + x over F p with p + 1 points } . All curves in X have F p -endomorphism ring O = Z [ √− p ] . Let π the Frobenius endomorphism. Ideal in O above ℓ i . l i = ( ℓ i , π − 1 ) . Moving + in X with ℓ i isogeny ⇐ ⇒ action of l i on X . More precisely: Subgroup corresponding to l i is E [ l i ] = E ( F p )[ ℓ i ] . (Note that ker ( π − 1 ) is just the F p -rational points!) Subgroup corresponding to l i is E [ l i ] = { P ∈ E [ ℓ i ] | π ( P ) = − P } . Tanja Lange Isogeny-Based Cryptography 21

  48. Math slide #6: Class groups Reminder: X = { y 2 = x 3 + Ax 2 + x over F p with p + 1 points } . All curves in X have F p -endomorphism ring O = Z [ √− p ] . Let π the Frobenius endomorphism. Ideal in O above ℓ i . l i = ( ℓ i , π − 1 ) . Moving + in X with ℓ i isogeny ⇐ ⇒ action of l i on X . More precisely: Subgroup corresponding to l i is E [ l i ] = E ( F p )[ ℓ i ] . (Note that ker ( π − 1 ) is just the F p -rational points!) Subgroup corresponding to l i is E [ l i ] = { P ∈ E [ ℓ i ] | π ( P ) = − P } . For Montgomery curves, E [ l i ] = { ( x , y ) ∈ E [ ℓ i ] | x ∈ F p ; y / ∈ F p } ∪ {∞} . Tanja Lange Isogeny-Based Cryptography 21

  49. Math slide #7: Commutative group action cl ( O ) acts on X . For most ideal classes the kernel is big and formulas are expensive to compute. I = l 10 1 l − 7 2 l 27 3 is a “big” ideal, but we can compute the action iteratively. cl ( O ) is commutative 2 so we get a commutative group action.. The choice for CSIDH: Let K = { [ l e 1 1 · · · l e 1 n ] | ( e 1 , ..., e n ) is ‘short’ } ⊆ cl ( O ) . The action of K on X is very efficient! Pick K as the keyspace 2 Important to use the F p -endomorphism ring.

  50. Cryptographic group actions Like in the CSIDH example, we generally get a DH-like key exchange from a commutative group action G × S → S : Alice public Bob random random a ← − − − G b ← − − − G a ∗ s b ∗ s key := a ∗ ( b ∗ s ) key := b ∗ ( a ∗ s ) Tanja Lange Isogeny-Based Cryptography 23

  51. Why no Shor? Shor computes α from h = g α by finding the kernel of the map f : Z 2 → G , ( x , y ) �→ g x · ↑ h y For general group actions, we cannot compose x ∗ s and y ∗ ( b ∗ s ) . For CSIDH this would require composing two elliptic curves in some form compatible with the action of G . Tanja Lange Isogeny-Based Cryptography 24

  52. CSIDH security Core problem: Given E , E ′ ∈ X , find a smooth-degree isogeny E → E ′ . Size of key space: ◮ About √ p of all A ∈ F p are valid keys. (More precisely # cl ( Z [ √− p ]) keys.) Without quantum computer: √ p ) . ◮ Meet-in-the-middle variants: Time O ( 4 (2016 Delfs–Galbraith) Tanja Lange Isogeny-Based Cryptography 25

  53. CSIDH security Core problem: Given E , E ′ ∈ X , find a smooth-degree isogeny E → E ′ . Size of key space: ◮ About √ p of all A ∈ F p are valid keys. (More precisely # cl ( Z [ √− p ]) keys.) Without quantum computer: √ p ) . ◮ Meet-in-the-middle variants: Time O ( 4 (2016 Delfs–Galbraith) With quantum computer: ◮ Abellian hidden-shift algorithms apply (2014 Childs–Jao–Soukharev) ◮ Kuperberg’s algoirhtm has subexponential complexity. CSIDH security: ◮ Public-key validation: Quickly check that E A : y 2 = x 3 + Ax 2 + x has p + 1 points. Tanja Lange Isogeny-Based Cryptography 25

  54. CSIDH-512 https://csidh.isogeny.org/ Definition: ◮ p = � 74 i = 1 ℓ i − 1 with ℓ 1 , . . . , ℓ 73 first 73 odd primes. ℓ 74 = 587. ◮ Exponents − 5 ≤ e i ≤ 5 for all 1 ≤ i ≤ 74. Sizes: ◮ Private keys: 32 bytes. (37 in current software for simplicity.) ◮ Public keys: 64 bytes (just one F p element). Performance on typical Intel Skylake laptop core: ◮ Clock cycles: about 12 · 10 7 per operation. ◮ Somewhat more for constant-time implementations. Security: ◮ Pre-quantum: at least 128 bits. Tanja Lange Isogeny-Based Cryptography 26

  55. CSIDH-512 https://csidh.isogeny.org/ Definition: ◮ p = � 74 i = 1 ℓ i − 1 with ℓ 1 , . . . , ℓ 73 first 73 odd primes. ℓ 74 = 587. ◮ Exponents − 5 ≤ e i ≤ 5 for all 1 ≤ i ≤ 74. Sizes: ◮ Private keys: 32 bytes. (37 in current software for simplicity.) ◮ Public keys: 64 bytes (just one F p element). Performance on typical Intel Skylake laptop core: ◮ Clock cycles: about 12 · 10 7 per operation. ◮ Somewhat more for constant-time implementations. Security: ◮ Pre-quantum: at least 128 bits. ◮ Post-quantum: complicated. Recent work analyzing cost: see https://quantum.isogeny.org . Several papers analyzing Kuperberg. (2018 Biasse–Iezzi-Jacobson, 2018-2020 Bonnetain–Schrottenloher, 2020 Peikert) https://csidh.isogeny.org/analysis.html Tanja Lange Isogeny-Based Cryptography 26

  56. CSIDH vs. Kuperberg Kuperberg’s algorithm consists of two components: 1. Evaluate the group action many times. (“oracle calls”) 2. Combine the results in a certain way. (“sieving”) Tanja Lange Isogeny-Based Cryptography 27

  57. CSIDH vs. Kuperberg Kuperberg’s algorithm consists of two components: 1. Evaluate the group action many times. (“oracle calls”) 2. Combine the results in a certain way. (“sieving”) ◮ The algorithm admits many different tradeoffs. ◮ Oracle calls are expensive. ◮ The sieving phase has classical and quantum operations. Tanja Lange Isogeny-Based Cryptography 27

  58. CSIDH vs. Kuperberg Kuperberg’s algorithm consists of two components: 1. Evaluate the group action many times. (“oracle calls”) 2. Combine the results in a certain way. (“sieving”) ◮ The algorithm admits many different tradeoffs. ◮ Oracle calls are expensive. ◮ The sieving phase has classical and quantum operations. How to compare costs? (Is one qubit operation ≈ one bit operation? a hundred? millions?) Tanja Lange Isogeny-Based Cryptography 27

  59. CSIDH vs. Kuperberg Kuperberg’s algorithm consists of two components: 1. Evaluate the group action many times. (“oracle calls”) 2. Combine the results in a certain way. (“sieving”) ◮ The algorithm admits many different tradeoffs. ◮ Oracle calls are expensive. ◮ The sieving phase has classical and quantum operations. How to compare costs? (Is one qubit operation ≈ one bit operation? a hundred? millions?) = ⇒ It is still rather unclear how to choose CSIDH parameters. � ( log p ) 1 / 2 + o ( 1 ) � ...but all known attacks cost exp ! Recent improvements to sieving target the o ( 1 ) . Kuperberg applies to all commutative group actions. Tanja Lange Isogeny-Based Cryptography 27

  60. SIDH – avoid commutativity The supersingular isogeny graph over F p 2 looks differently. Nodes are isomorphism classes of elliptic curves taken any extension field. (All isooprhism classes of supersingular elliptic curves defined over F p 2 ). Tanja Lange Isogeny-Based Cryptography 28

  61. SIDH: High-level view (2011 Jao–De Feo) Promblem: quadratic twists are identified, ℓ + 1 isogenies of degree ℓ from any curve, no more sense of direction. Tanja Lange Isogeny-Based Cryptography 29

  62. SIDH: High-level view (2011 Jao–De Feo) Promblem: quadratic twists are identified, ℓ + 1 isogenies of degree ℓ from any curve, no more sense of direction. ϕ A E E / A ϕ B ϕ B ′ E / B E / � A , B � ϕ A ′ Tanja Lange Isogeny-Based Cryptography 29

  63. SIDH: High-level view (2011 Jao–De Feo) Promblem: quadratic twists are identified, ℓ + 1 isogenies of degree ℓ from any curve, no more sense of direction. ϕ A E E / A ϕ B ϕ B ′ E / B E / � A , B � ϕ A ′ ◮ Alice & Bob pick secret subgroups A and B of E . Tanja Lange Isogeny-Based Cryptography 29

  64. SIDH: High-level view (2011 Jao–De Feo) Promblem: quadratic twists are identified, ℓ + 1 isogenies of degree ℓ from any curve, no more sense of direction. ϕ A E E / A ϕ B ϕ B ′ E / B E / � A , B � ϕ A ′ ◮ Alice & Bob pick secret subgroups A and B of E . ◮ Alice computes ϕ A : E → E / A ; Bob computes ϕ B : E → E / B . (These isogenies correspond to walking on the isogeny graph.) Tanja Lange Isogeny-Based Cryptography 29

  65. SIDH: High-level view (2011 Jao–De Feo) Promblem: quadratic twists are identified, ℓ + 1 isogenies of degree ℓ from any curve, no more sense of direction. ϕ A E E / A ϕ B ϕ B ′ E / B E / � A , B � ϕ A ′ ◮ Alice & Bob pick secret subgroups A and B of E . ◮ Alice computes ϕ A : E → E / A ; Bob computes ϕ B : E → E / B . (These isogenies correspond to walking on the isogeny graph.) ◮ Alice and Bob transmit the values E / A and E / B . Tanja Lange Isogeny-Based Cryptography 29

  66. SIDH: High-level view (2011 Jao–De Feo) Promblem: quadratic twists are identified, ℓ + 1 isogenies of degree ℓ from any curve, no more sense of direction. ϕ A E E / A ϕ B ϕ B ′ E / B E / � A , B � ϕ A ′ ◮ Alice & Bob pick secret subgroups A and B of E . ◮ Alice computes ϕ A : E → E / A ; Bob computes ϕ B : E → E / B . (These isogenies correspond to walking on the isogeny graph.) ◮ Alice and Bob transmit the values E / A and E / B . ◮ Alice somehow obtains A ′ := ϕ B ( A ) . (Similar for Bob.) Tanja Lange Isogeny-Based Cryptography 29

  67. SIDH: High-level view (2011 Jao–De Feo) Promblem: quadratic twists are identified, ℓ + 1 isogenies of degree ℓ from any curve, no more sense of direction. ϕ A E E / A ϕ B ϕ B ′ E / B E / � A , B � ϕ A ′ ◮ Alice & Bob pick secret subgroups A and B of E . ◮ Alice computes ϕ A : E → E / A ; Bob computes ϕ B : E → E / B . (These isogenies correspond to walking on the isogeny graph.) ◮ Alice and Bob transmit the values E / A and E / B . ◮ Alice somehow obtains A ′ := ϕ B ( A ) . (Similar for Bob.) ◮ They both compute the shared secret ( E / B ) / A ′ ∼ = E / � A , B � ∼ = ( E / A ) / B ′ . ◮ Key is an isomorphism class; make this useable taking j -invariant. Tanja Lange Isogeny-Based Cryptography 29

  68. SIDH’s auxiliary points Previous slide: “Alice somehow obtains A ′ := ϕ B ( A ) .” Alice knows only A , Bob knows only ϕ B . Tanja Lange Isogeny-Based Cryptography 30

  69. SIDH’s auxiliary points Previous slide: “Alice somehow obtains A ′ := ϕ B ( A ) .” Alice knows only A , Bob knows only ϕ B . ◮ Alice picks A as � P + [ a ] Q � for fixed public P , Q ∈ E . ◮ Bob includes ϕ B ( P ) and ϕ B ( Q ) in his public key. Tanja Lange Isogeny-Based Cryptography 30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de

Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de

Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de lcole polytechnique (LIX) 1 Arithmetic of low-dimensional abelian varieties // ICERM // 6/6/19 Elliptic curve cryptography 1 Breaking keypairs

821 views • 57 slides
20 years of isogeny-based cryptography Luca De Feo feat. Jean Kieffer, Benjamin Smith

20 years of isogeny-based cryptography Luca De Feo feat. Jean Kieffer, Benjamin Smith

20 years of isogeny-based cryptography Luca De Feo feat. Jean Kieffer, Benjamin Smith Universit Paris Saclay, UVSQ &amp; Inria November 14, 2017, Elliptic Curve Cryptography, Nijmegen Slides online at http://defeo.lu/docet/ Overview

1.07k views • 84 slides
Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 18, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 18, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 18, 2019 Simula UiB, Bergen Slides online at https://defeo.lu/docet Why isogenies? Six families still in NIST post-quantum competition: Lattices 9

2k views • 172 slides
Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 28, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 28, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 28, 2019 NTNU, Trondheim Slides online at https://defeo.lu/docet Why isogenies? Six families still in NIST post-quantum competition: Lattices 9 encryption

1.95k views • 160 slides
Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South

Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South

Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South Florida FWIMD - February 9, 2019 The key exchange problem ALICE and BELLE, communicating over a public channel, want to agree on a common secret

499 views • 18 slides
Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron

Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron

Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron Hutchinson and Koray Karabina Florida Atlantic University INDOCRYPT 2018 Acknowledgment: This research was supported by the Army Research Office

288 views • 18 slides
Isogeny-Based Public-Key Cryptography David Jao Department of Combinatorics &amp; Optimization

Isogeny-Based Public-Key Cryptography David Jao Department of Combinatorics &amp; Optimization

Isogeny-Based Public-Key Cryptography David Jao Department of Combinatorics &amp; Optimization Centre for Applied Cryptographic Research June 17, 2016 CENTRE FOR APPLIED CRYPTOGRAPHIC RESEARCH (CACR) Motivation: Post-Quantum Cryptography

355 views • 16 slides
Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ March 18, 2019

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ March 18, 2019

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ March 18, 2019 Mathematical foundations of asymmetric cryptography Aussois, Savoie Slides online at https://defeo.lu/docet/ Overview Isogeny graphs 1 Elliptic Curves

1.96k views • 156 slides
An introduction to supersingular isogeny-based cryptography Craig Costello November 10 ECC 2017

An introduction to supersingular isogeny-based cryptography Craig Costello November 10 ECC 2017

An introduction to supersingular isogeny-based cryptography Craig Costello November 10 ECC 2017 Nijmegen, The Netherlands W. Castryck (GIF): Elliptic curves are dead: long live elliptic curves https://www.esat.kuleuven.be/cosic/?p=7404

1.07k views • 78 slides
Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ July 29 August 29,

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ July 29 August 29,

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ July 29 August 29, 2019 Cryptography meets Graph Theory Wrzburg, Franken, Germany Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29Aug 2,

1.99k views • 174 slides
isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8,

isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8,

An introduction to supersingular isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8, 2017 ibenik , Croatia T owards quantum-resistant cryptosystems from supersingular elliptic curve isogenies

1.46k views • 51 slides
Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe

Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe

Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe Petit ECC 2019 3 December 1 / 50 Motivation Isogeny based cryptography Another Look at Provable Security Neal Koblitz Dept. of

780 views • 61 slides
Isogeny graphs in cryptography: the good, the bad and the ugly Luca De Feo Universit Paris

Isogeny graphs in cryptography: the good, the bad and the ugly Luca De Feo Universit Paris

Isogeny graphs in cryptography: the good, the bad and the ugly Luca De Feo Universit Paris Saclay UVSQ May 13, 2019, Universit di Roma 3, Roma Slides online at https://defeo.lu/docet/ Elliptic curves Let E y 2 x 3 ax b

1.22k views • 76 slides
Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ &amp; Inria March

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ &amp; Inria March

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ &amp; Inria March 1923, 2018, Post-Scryptum Spring School, Les 7 Laux Slides online at http://defeo.lu/docet/ Photo courtesy of Elisa Lorenzo-Garca Overview

1.87k views • 144 slides
Faster Isogeny-Based Compressed Key Agreement Gustavo H. M. Zanon, Marcos A. Simplicio Jr,

Faster Isogeny-Based Compressed Key Agreement Gustavo H. M. Zanon, Marcos A. Simplicio Jr,

Faster Isogeny-Based Compressed Key Agreement Gustavo H. M. Zanon, Marcos A. Simplicio Jr, Geovandro C. C. F. Pereira , Javad Doliskani, and Paulo S. L. M. Barreto. 1 REVI EW : SI DH AND COMPRESSED KEYS 2 Isogeny-based Crypto n SIDH:

856 views • 81 slides
Isogeny Graphs in Cryptography Luca De Feo hand-drawings by Rachel Deyts Universit de

Isogeny Graphs in Cryptography Luca De Feo hand-drawings by Rachel Deyts Universit de

Isogeny Graphs in Cryptography Luca De Feo hand-drawings by Rachel Deyts Universit de Versailles &amp; Inria, Universit Paris-Saclay May 31, 2018, Journes du Pr-GDR Scurit, Paris Elliptic curves Let E y 2 x 3 ax b be

1.01k views • 73 slides
INTERCONNECTING CDNS AKA PEERING PEER-TO- PEER Bruce Davie &amp; Francois le Faucheur

INTERCONNECTING CDNS AKA PEERING PEER-TO- PEER Bruce Davie &amp; Francois le Faucheur

INTERCONNECTING CDNS AKA PEERING PEER-TO- PEER Bruce Davie &amp; Francois le Faucheur Outline Background: peering peer-to-peer providers CDN Interconnect Motivation CDNI Technical Issues Discussion Why is this a

876 views • 19 slides
Announcements Exam 2: 03/11, PA2______,HW3______. Today: Loose ends Associative Arrays Hash

Announcements Exam 2: 03/11, PA2______,HW3______. Today: Loose ends Associative Arrays Hash

Announcements Exam 2: 03/11, PA2______,HW3______. Today: Loose ends Associative Arrays Hash Tables Intro to Hash Functions Loose ends Classic balanced BST structures: Red-Black trees max ht 2log 2 n. Constant # of rotations

298 views • 8 slides
CSE 484 / CSE M 584 Computer Security Sec4on Week 4: Cryptography TA: Thomas Crosley

CSE 484 / CSE M 584 Computer Security Sec4on Week 4: Cryptography TA: Thomas Crosley

CSE 484 / CSE M 584 Computer Security Sec4on Week 4: Cryptography TA: Thomas Crosley tcrosley@cs Thanks to Franzi Roesner and Adrian Sham for previous slides [Examples/Images thanks to Wikipedia.] Administrivia Lab 1 Final due next week

495 views • 30 slides
Lecture 5 - Cryptography CMPSC 443 - Spring 2012 Introduction Computer and Network Security

Lecture 5 - Cryptography CMPSC 443 - Spring 2012 Introduction Computer and Network Security

Lecture 5 - Cryptography CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professors Jaeger A

599 views • 21 slides
Dictionaries Application Collection of student records in this class. Collection of

Dictionaries Application Collection of student records in this class. Collection of

Dictionaries Application Collection of student records in this class. Collection of pairs. (key, element) = (student name, linear list of assignment and exam scores) (key, element) All keys are distinct. Pairs have

423 views • 7 slides
Some Number Theory Modulo Operation: Question: What is 12 mod 9? Answer: 12 mod 9 3 or 12

Some Number Theory Modulo Operation: Question: What is 12 mod 9? Answer: 12 mod 9 3 or 12

CPE 776:DATA SECURITY &amp; CRYPTOGRAPHY Some Number Theory and Classical Crypto Systems Dr. Loai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan Dr. Loai Tawalbeh summer 2005 Some Number

546 views • 10 slides
Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey

Block Cipher Cryptanalysis II: Block Cipher Cryptanalysis II: Linear Cryptanalysis yp y Andrey Bogdanov Andrey Bogdanov K.U.Leuven, ESAT/COSIC Outline Outline Distribution of Correlation Data Complexity Linear Hulls Zero

659 views • 30 slides
Persistent Handles: approaches Ralph Bhme, Samba Team, SerNet 2018-06-08 Outline Persistent

Persistent Handles: approaches Ralph Bhme, Samba Team, SerNet 2018-06-08 Outline Persistent

Persistent Handles: approaches Ralph Bhme, Samba Team, SerNet 2018-06-08 Outline Persistent Handles: Recap Persistent Handles: Samba dbwrap approach ctdb approach Persistent Handles: implementation (with dbwrap) VFS approach Outlook The

586 views • 43 slides

More recommend