isogeny graphs in cryptography
play

Isogeny Graphs in Cryptography Luca De Feo hand-drawings by Rachel - PowerPoint PPT Presentation

Mar 01, 2024 •271 likes •1.01k views

Isogeny Graphs in Cryptography Luca De Feo hand-drawings by Rachel Deyts Universit de Versailles & Inria, Universit Paris-Saclay May 31, 2018, Journes du Pr-GDR Scurit, Paris Elliptic curves Let E y 2 x 3 ax b be

  1. Isogeny Graphs in Cryptography Luca De Feo hand-drawings by Rachel Deyts Université de Versailles & Inria, Université Paris-Saclay May 31, 2018, Journées du Pré-GDR Sécurité, Paris

  2. Elliptic curves Let E ✿ y 2 ❂ x 3 ✰ ax ✰ b be an elliptic curve... R Q P P ✰ Q Luca De Feo (UVSQ & INRIA) Isogeny Graphs in Cryptography May 31, 2018, GDR Sécurité, Paris 2 / 44

  3. ✰ Elliptic curves Let E ✿ y 2 ❂ x 3 ✰ ax ✰ b be an elliptic curve... Luca De Feo (UVSQ & INRIA) Isogeny Graphs in Cryptography May 31, 2018, GDR Sécurité, Paris 2 / 44

  4. ✰ Elliptic curves Let E ✿ y 2 ❂ x 3 ✰ ax ✰ b be an elliptic curve... Luca De Feo (UVSQ & INRIA) Isogeny Graphs in Cryptography May 31, 2018, GDR Sécurité, Paris 2 / 44

  5. ✰ Elliptic curves Let E ✿ y 2 ❂ x 3 ✰ ax ✰ b be an elliptic curve... Luca De Feo (UVSQ & INRIA) Isogeny Graphs in Cryptography May 31, 2018, GDR Sécurité, Paris 2 / 44

  6. ✰ Elliptic curves Let E ✿ y 2 ❂ x 3 ✰ ax ✰ b be an elliptic curve... Luca De Feo (UVSQ & INRIA) Isogeny Graphs in Cryptography May 31, 2018, GDR Sécurité, Paris 2 / 44

  7. ✰ Elliptic curves Let E ✿ y 2 ❂ x 3 ✰ ax ✰ b be an elliptic curve... Luca De Feo (UVSQ & INRIA) Isogeny Graphs in Cryptography May 31, 2018, GDR Sécurité, Paris 2 / 44

  8. Elliptic curves Luca De Feo (UVSQ & INRIA) Isogeny Graphs in Cryptography May 31, 2018, GDR Sécurité, Paris 3 / 44

  9. The QUANTHOM Menace Luca De Feo (UVSQ & INRIA) Isogeny Graphs in Cryptography May 31, 2018, GDR Sécurité, Paris 4 / 44

  10. Post-quantum cryptographer? Luca De Feo (UVSQ & INRIA) Isogeny Graphs in Cryptography May 31, 2018, GDR Sécurité, Paris 5 / 44

  11. Elliptic curves of the world, UNITE! QUOUSQUE QUANTUM? QUANTUM SUFFICIT! Luca De Feo (UVSQ & INRIA) Isogeny Graphs in Cryptography May 31, 2018, GDR Sécurité, Paris 6 / 44

  12. And so, they found a way around the Quanthom... Luca De Feo (UVSQ & INRIA) Isogeny Graphs in Cryptography May 31, 2018, GDR Sécurité, Paris 7 / 44

  13. And so, they found a way around the Quanthom... Public curve Public curve Luca De Feo (UVSQ & INRIA) Isogeny Graphs in Cryptography May 31, 2018, GDR Sécurité, Paris 7 / 44

  14. And so, they found a way around the Quanthom... Public curve Shared secret Public curve Luca De Feo (UVSQ & INRIA) Isogeny Graphs in Cryptography May 31, 2018, GDR Sécurité, Paris 7 / 44

  15. What’s an isogeny? Rebus: 1-3-7-3-8-6 Luca De Feo (UVSQ & INRIA) Isogeny Graphs in Cryptography May 31, 2018, GDR Sécurité, Paris 8 / 44

  16. Isogenies Isogenies are just the right notion TM of morphism for elliptic curves Surjective group morphisms. Algebraic maps (i.e., defined by polynomials). (Separable) isogenies ✱ finite subgroups: ✦ E ✵ ✦ 0 ✣ 0 ✦ H ✦ E The kernel H determines the image curve E ✵ up to isomorphism def ❂ E ✵ ✿ E ❂ H Isogeny degree Neither of these definitions is quite correct, but they nearly are: The degree of ✣ is the cardinality of ❦❡r ✣ . (Bisson) the degree of ✣ is the time needed to compute it. Luca De Feo (UVSQ & INRIA) Isogeny Graphs in Cryptography May 31, 2018, GDR Sécurité, Paris 9 / 44

  17. ❋ ✄ ✼✦ Isogenies: an example over ❋ 11 E ✿ y 2 ❂ x 3 ✰ x E ✵ ✿ y 2 ❂ x 3 � 4 x ✥ ✦ x 2 ✰ 1 y x 2 � 1 ✣ ✭ x ❀ y ✮ ❂ ❀ x 2 x Luca De Feo (UVSQ & INRIA) Isogeny Graphs in Cryptography May 31, 2018, GDR Sécurité, Paris 10 / 44

  18. ❋ ✄ ✼✦ Isogenies: an example over ❋ 11 E ✿ y 2 ❂ x 3 ✰ x E ✵ ✿ y 2 ❂ x 3 � 4 x ✥ ✦ x 2 ✰ 1 y x 2 � 1 ✣ ✭ x ❀ y ✮ ❂ ❀ x 2 x Luca De Feo (UVSQ & INRIA) Isogeny Graphs in Cryptography May 31, 2018, GDR Sécurité, Paris 10 / 44

  19. ❋ ✄ ✼✦ Isogenies: an example over ❋ 11 E ✿ y 2 ❂ x 3 ✰ x E ✵ ✿ y 2 ❂ x 3 � 4 x ✥ ✦ x 2 ✰ 1 y x 2 � 1 ✣ ✭ x ❀ y ✮ ❂ ❀ x 2 x Luca De Feo (UVSQ & INRIA) Isogeny Graphs in Cryptography May 31, 2018, GDR Sécurité, Paris 10 / 44

  20. ❋ ✄ ✼✦ Isogenies: an example over ❋ 11 E ✿ y 2 ❂ x 3 ✰ x E ✵ ✿ y 2 ❂ x 3 � 4 x Kernel generator in red. ✥ ✦ x 2 ✰ 1 y x 2 � 1 ✣ ✭ x ❀ y ✮ ❂ ❀ x 2 x Luca De Feo (UVSQ & INRIA) Isogeny Graphs in Cryptography May 31, 2018, GDR Sécurité, Paris 10 / 44

  21. ❋ ✄ ✼✦ Isogenies: an example over ❋ 11 E ✿ y 2 ❂ x 3 ✰ x E ✵ ✿ y 2 ❂ x 3 � 4 x Kernel generator in red. ✥ ✦ x 2 ✰ 1 y x 2 � 1 This is a degree 2 map. ✣ ✭ x ❀ y ✮ ❂ ❀ x 2 x Luca De Feo (UVSQ & INRIA) Isogeny Graphs in Cryptography May 31, 2018, GDR Sécurité, Paris 10 / 44

  22. Isogenies: an example over ❋ 11 E ✿ y 2 ❂ x 3 ✰ x E ✵ ✿ y 2 ❂ x 3 � 4 x Kernel generator in red. ✥ ✦ x 2 ✰ 1 y x 2 � 1 This is a degree 2 map. ✣ ✭ x ❀ y ✮ ❂ ❀ x 2 x Analogous to x ✼✦ x 2 in ❋ ✄ q . Luca De Feo (UVSQ & INRIA) Isogeny Graphs in Cryptography May 31, 2018, GDR Sécurité, Paris 10 / 44

  23. Easy and hard problems In practice: an isogeny ✣ is just a pair of rational fractions x n ✰ ✁ ✁ ✁ ✰ n 1 x ✰ n 0 N ✭ x ✮ with n ❂ ❞❡❣ ✣❀ D ✭ x ✮ ❂ ✷ k ✭ x ✮ ❀ x n � 1 ✰ ✁ ✁ ✁ ✰ d 1 x ✰ d 0 and D ✭ x ✮ vanishes on ❦❡r ✣ . ⑦ Vélu’s formulas ❖ ✭ n ✮ Input: A generator of the kernel H of the isogeny. Output: The curve E ❂ H and the rational fraction N ❂ D . The explicit isogeny problem Input: The curves E and E ❂ H , the degree n . Output: The rational fraction N ❂ D . ⑦ Algorithms a Elkies’ algorithm (and variants); ❖ ✭ n ✮ ⑦ Couveignes’ algorithm (and variants). ❖ ✭ n 2 ✮ a Elkies 1998; Couveignes 1996. Luca De Feo (UVSQ & INRIA) Isogeny Graphs in Cryptography May 31, 2018, GDR Sécurité, Paris 11 / 44

  24. Easy and hard problems Isogeny evaluation Input: A description of the isogeny ✣ , a point P ✷ E ✭ k ✮ . Output: The curve E ❂ H and ✣ ✭ P ✮ . Examples Input = rational fraction; O ✭ n ✮ ⑦ Input = composition of low degree isogenies; ❖ ✭❧♦❣ n ✮ The isogeny walk problem O ✭❄❄✮ Input: Isogenous curves E , E ✵ . Output: A path of low degree isogenies from E to E ✵ . Luca De Feo (UVSQ & INRIA) Isogeny Graphs in Cryptography May 31, 2018, GDR Sécurité, Paris 12 / 44

  25. Easy and hard problems Isogeny evaluation Input: A description of the isogeny ✣ , a point P ✷ E ✭ k ✮ . Output: The curve E ❂ H and ✣ ✭ P ✮ . Examples Input = rational fraction; O ✭ n ✮ ⑦ Input = composition of low degree isogenies; ❖ ✭❧♦❣ n ✮ The isogeny walk problem O ✭❄❄✮ Input: Isogenous curves E , E ✵ . Output: A path of low degree isogenies from E to E ✵ . Exponential separation... Luca De Feo (UVSQ & INRIA) Isogeny Graphs in Cryptography May 31, 2018, GDR Sécurité, Paris 12 / 44

  26. Easy and hard problems Isogeny evaluation Input: A description of the isogeny ✣ , a point P ✷ E ✭ k ✮ . Output: The curve E ❂ H and ✣ ✭ P ✮ . Examples Input = rational fraction; O ✭ n ✮ ⑦ Input = composition of low degree isogenies; ❖ ✭❧♦❣ n ✮ The isogeny walk problem O ✭❄❄✮ Input: Isogenous curves E , E ✵ . Output: A path of low degree isogenies from E to E ✵ . Exponential separation...Crypto happens! Luca De Feo (UVSQ & INRIA) Isogeny Graphs in Cryptography May 31, 2018, GDR Sécurité, Paris 12 / 44

  27. Isogeny graphs ✣ We look at the graph of elliptic curves with E ✵ E isogenies up to isomorphism. We say two isogenies ✣❀ ✣ ✵ are isomorphic if: ❡ ✣ ✵ E ✵ Example: Finite field, ordinary case, graph of isogenies of degree 3 . Luca De Feo (UVSQ & INRIA) Isogeny Graphs in Cryptography May 31, 2018, GDR Sécurité, Paris 13 / 44

  28. Structure of the graph 1 Theorem (Serre-Tate) Two curves are isogenous over a finite field k if and only if they have the same number of points on k . The graph of isogenies of prime degree ❵ ✻ ❂ p Ordinary case (isogeny volcanoes) Nodes can have degree 0 ❀ 1 ❀ 2 or ❵ ✰ 1 . ■ For ✘ 50 ✪ of the primes ❵ , graphs are just isolated points; ■ For other ✘ 50 ✪ , graphs are 2 -regular; ■ other cases only happen for finitely many ❵ ’s. Supersingular case (algebraic closure) The graph is ❵ ✰ 1 -regular. There is a unique (finite) connected component made of all supersingular curves with the same number of points. 1 Deuring 1941; Kohel 1996; Fouquet and Morain 2002. Luca De Feo (UVSQ & INRIA) Isogeny Graphs in Cryptography May 31, 2018, GDR Sécurité, Paris 14 / 44

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ March 18, 2019

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ March 18, 2019

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ March 18, 2019 Mathematical foundations of asymmetric cryptography Aussois, Savoie Slides online at https://defeo.lu/docet/ Overview Isogeny graphs 1 Elliptic Curves

1.96k views • 156 slides
Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ July 29 August 29,

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ July 29 August 29,

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ July 29 August 29, 2019 Cryptography meets Graph Theory Wrzburg, Franken, Germany Luca De Feo (U Paris Saclay) Isogeny graphs in cryptography Jul 29Aug 2,

1.99k views • 174 slides
Isogeny graphs in cryptography: the good, the bad and the ugly Luca De Feo Universit Paris

Isogeny graphs in cryptography: the good, the bad and the ugly Luca De Feo Universit Paris

Isogeny graphs in cryptography: the good, the bad and the ugly Luca De Feo Universit Paris Saclay UVSQ May 13, 2019, Universit di Roma 3, Roma Slides online at https://defeo.lu/docet/ Elliptic curves Let E y 2 x 3 ax b

1.22k views • 76 slides
Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ & Inria March

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ & Inria March

Isogeny graphs in cryptography Luca De Feo Universit Paris Saclay, UVSQ & Inria March 1923, 2018, Post-Scryptum Spring School, Les 7 Laux Slides online at http://defeo.lu/docet/ Photo courtesy of Elisa Lorenzo-Garca Overview

1.87k views • 144 slides
Isogeny graphs with real multiplication Sorina Ionica Ecole Normale Suprieure de Paris joint

Isogeny graphs with real multiplication Sorina Ionica Ecole Normale Suprieure de Paris joint

Isogeny graphs with real multiplication Sorina Ionica Ecole Normale Suprieure de Paris joint work with Emmanuel Thom Sorina Ionica 1 / 24 Isogeny graphs Kohel 1996: Graph with vertices elliptic curves defined over F q and edges all

302 views • 27 slides
BROOKS JETCHEV WESOLOWSKI ISOGENY GRAPHS OF ORDINARY ABELIAN VARIETIES PRESENTED AT ECC 2017,

BROOKS JETCHEV WESOLOWSKI ISOGENY GRAPHS OF ORDINARY ABELIAN VARIETIES PRESENTED AT ECC 2017,

ERNEST HUNTER DIMITAR BENJAMIN BROOKS JETCHEV WESOLOWSKI ISOGENY GRAPHS OF ORDINARY ABELIAN VARIETIES PRESENTED AT ECC 2017, NIJMEGEN, THE NETHERLANDS BY BENJAMIN WESOLOWSKI FROM EPFL, SWITZERLAND AN INTRODUCTION TO ISOGENY GRAPHS

770 views • 63 slides
Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de

Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de

Advances in isogeny-based cryptography Benjamin Smith Inria + Laboratoire dInformatique de lcole polytechnique (LIX) 1 Arithmetic of low-dimensional abelian varieties // ICERM // 6/6/19 Elliptic curve cryptography 1 Breaking keypairs

821 views • 57 slides
20 years of isogeny-based cryptography Luca De Feo feat. Jean Kieffer, Benjamin Smith

20 years of isogeny-based cryptography Luca De Feo feat. Jean Kieffer, Benjamin Smith

20 years of isogeny-based cryptography Luca De Feo feat. Jean Kieffer, Benjamin Smith Universit Paris Saclay, UVSQ & Inria November 14, 2017, Elliptic Curve Cryptography, Nijmegen Slides online at http://defeo.lu/docet/ Overview

1.07k views • 84 slides
Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 18, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 18, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 18, 2019 Simula UiB, Bergen Slides online at https://defeo.lu/docet Why isogenies? Six families still in NIST post-quantum competition: Lattices 9

2k views • 172 slides
Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 28, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 28, 2019

Isogeny Based Cryptography: an Introduction Luca De Feo IBM Research Zrich November 28, 2019 NTNU, Trondheim Slides online at https://defeo.lu/docet Why isogenies? Six families still in NIST post-quantum competition: Lattices 9 encryption

1.95k views • 160 slides
Isogeny-Based Public-Key Cryptography David Jao Department of Combinatorics & Optimization

Isogeny-Based Public-Key Cryptography David Jao Department of Combinatorics & Optimization

Isogeny-Based Public-Key Cryptography David Jao Department of Combinatorics & Optimization Centre for Applied Cryptographic Research June 17, 2016 CENTRE FOR APPLIED CRYPTOGRAPHIC RESEARCH (CACR) Motivation: Post-Quantum Cryptography

355 views • 16 slides
Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South

Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South

Isogeny-based cryptography, a quantum-safe alternative Annamaria Iezzi University of South Florida FWIMD - February 9, 2019 The key exchange problem ALICE and BELLE, communicating over a public channel, want to agree on a common secret

499 views • 18 slides
Isogeny-Based Cryptography Tanja Lange (with lots of slides by Lorenz Panny) Eindhoven

Isogeny-Based Cryptography Tanja Lange (with lots of slides by Lorenz Panny) Eindhoven

Isogeny-Based Cryptography Tanja Lange (with lots of slides by Lorenz Panny) Eindhoven University of Technology 20 & 21 July 2020 DiffieHellman key exchange 76 Public parameters: a finite group G (traditionally F p , today

1.65k views • 118 slides
Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron

Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron

Constructing Canonical Strategies For Parallel Implementation Of Isogeny Based Cryptography Aaron Hutchinson and Koray Karabina Florida Atlantic University INDOCRYPT 2018 Acknowledgment: This research was supported by the Army Research Office

288 views • 18 slides
Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe

Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe

Another Look At Some Isogeny Hardness Assumptions Simon-Phillipp Merz, Romy Minko, Christophe Petit ECC 2019 3 December 1 / 50 Motivation Isogeny based cryptography Another Look at Provable Security Neal Koblitz Dept. of

780 views • 61 slides
An introduction to supersingular isogeny-based cryptography Craig Costello November 10 ECC 2017

An introduction to supersingular isogeny-based cryptography Craig Costello November 10 ECC 2017

An introduction to supersingular isogeny-based cryptography Craig Costello November 10 ECC 2017 Nijmegen, The Netherlands W. Castryck (GIF): Elliptic curves are dead: long live elliptic curves https://www.esat.kuleuven.be/cosic/?p=7404

1.07k views • 78 slides
Trapdoor simulation Algorithms in CS courses of quantum algorithms WHAT is your algorithm?

Trapdoor simulation Algorithms in CS courses of quantum algorithms WHAT is your algorithm?

Trapdoor simulation Algorithms in CS courses of quantum algorithms WHAT is your algorithm? Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische

922 views • 70 slides
from a single quantum device THOMAS VIDICK CALIFORNIA INSTITUTE OF TECHNOLOGY Joint work with

from a single quantum device THOMAS VIDICK CALIFORNIA INSTITUTE OF TECHNOLOGY Joint work with

Certifiable randomness from a single quantum device THOMAS VIDICK CALIFORNIA INSTITUTE OF TECHNOLOGY Joint work with Zvika Brakerski (Weizmann), Paul Christiano, Urmila Mahadev, and Umesh Vazirani (UC Berkeley) Quantum Computing 1.0

359 views • 12 slides
Numb3rs 11 2 10 3 Some Cryptographic Functions 9 4 8 5 7 6 A Word on Efficiency Very

Numb3rs 11 2 10 3 Some Cryptographic Functions 9 4 8 5 7 6 A Word on Efficiency Very

0 12 1 Numb3rs 11 2 10 3 Some Cryptographic Functions 9 4 8 5 7 6 A Word on Efficiency Very huge numbers have very short representation Take a 256 bit integer, 111 = 2 256 -1 Can a computer just count up to this number? No. Not

427 views • 7 slides
How to challenge and cast your e-vote Sandra Guasch, Paz Morillo Financial Cryptography and Data

How to challenge and cast your e-vote Sandra Guasch, Paz Morillo Financial Cryptography and Data

How to challenge and cast your e-vote Sandra Guasch, Paz Morillo Financial Cryptography and Data Security 2016 Table of Contents Introduction 1 Cast-as-intended in Helios 2 Challenge and cast 3 Sandra Guasch, Paz Morillo How to challenge

789 views • 41 slides
On Basing Private Information Retrieval on NP-Hardness Tianren Liu 1 Vinod Vaikuntanathan 1 1 MIT

On Basing Private Information Retrieval on NP-Hardness Tianren Liu 1 Vinod Vaikuntanathan 1 1 MIT

On Basing Private Information Retrieval on NP-Hardness Tianren Liu 1 Vinod Vaikuntanathan 1 1 MIT liutr@mit.edu , vinodv@csail.mit.edu Thirteenth IACR Theory of Cryptography Conference . . . . . . . . . . . . . . . . . . . . .

696 views • 56 slides
Secure indexes and other oblivious search structures (Privaatne otsing: indeksid ning

Secure indexes and other oblivious search structures (Privaatne otsing: indeksid ning

Secure indexes and other oblivious search structures (Privaatne otsing: indeksid ning alternatiivid) Sven Laur swen@math.ut.ee Helsinki University of Technology Basic motivation Secure storage problem Client Alice does not have skills for

428 views • 16 slides
Asymmetric encrypCon CS642: Computer Security Professor

Asymmetric encrypCon CS642: Computer Security Professor

Asymmetric encrypCon CS642: Computer Security Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu University of Wisconsin CS 642

662 views • 33 slides
One Way Functions Amit Suthar 05CS3016 Amar Patel 05CS3017 Computer Science and Engineering

One Way Functions Amit Suthar 05CS3016 Amar Patel 05CS3017 Computer Science and Engineering

One Way Functions Amit Suthar 05CS3016 Amar Patel 05CS3017 Computer Science and Engineering Department Indian Institute of Kharagpur, Kharagpur West Bengal, 721302 India Contents 1 Introduction 1 1.1 One Way Function . . . . . . . . . .

825 views • 8 slides

More recommend